Blockchains, bridges and network security

According to blockchain analytics firm Elliptic, more than $1 billion in funds were stolen from blockchain bridges in the first half of 2022 alone. This sum does not include the nearly $200 million estimated to have were stolen from the Nomad Bridge earlier this week. This latest incident is the third largest such hack this year, after the Ronin Bridge hack lost $540 million and the Wormhole Bridge hack lost $325 million.

These events are shocking in both the severity of the loss and the frequency with which they occur. I am often asked what are the implications of these hacks for the blockchains on which the bridges are built. In order to solve this problem, it is important to first understand what a bridge is and how it relates to the underlying blockchains.

What is a bridge?
At its most basic, a bridge is a means of enabling the transfer of digital assets from one blockchain to another. As new blockchains are built and used, allowing users to transfer their assets between them will grow in importance. As an example, consider a user who holds ETH, the native cryptocurrency of the Ethereum blockchain. They want to participate in Decentralized Finance (DeFi) applications, but they feel that the transaction fees on the Ethereum blockchain are too high. Instead, they would like to use DeFi applications on a different blockchain with lower transaction fees, such as the Avalanche Blockchain. In order to access these applications on the Avalanche blockchain, they would need to efficiently transfer their ETH to the Avalanche blockchain network. This is where the bridge comes in. The bridge is a separate application of the two blockchains, but allows the user to transfer value between the two.

Why are bridges vulnerable?
Bridges are vulnerable to hacks as we’ve seen this year for several reasons. One of the main reasons is that the app itself ends up holding significant amounts of crypto assets on behalf of users. Going back to the previous example, when the user transfers their ETH value to the Avalanche blockchain via the bridge, what they are actually doing is sending their ETH to a smart contract on the Ethereum blockchain which is actually delivering a IOU or credit for it ETH, but on the Avalanche blockchain. The ETH sent to the smart contract can be considered as collateral. Thus, the greater the value transferred through a bridge, the more value is held in the contract, which means a higher salary for a potential hacker. An analogy in the traditional space would be that a safe containing $1 billion would be a higher value target for a bank robber than a safe with $1 million.

The other important reason why bridges remain vulnerable, more so than the underlying blockchain, is that they don’t derive any benefit from blockchain security. Rather than having a large decentralized pool of users validating transactions and providing network security as is the case with many large blockchains today, bridges can have entirely different security mechanisms in place. . In this year’s biggest bridge hack – the Ronin hack – the security protocol consisted of a team of nine anonymous validators, and in order to validate transactions, only five of the nine needed to go offline. Compare that to the over 100,000 miners needed to validate transactions on the public Ethereum blockchain.

Do these bridge hacks have implications for the security of the underlying blockchains?
The short answer is no, a hack of a bridge between two (or more) blockchains has no effect on the security of the underlying blockchains. The underlying blockchains will continue to process transactions as they had been, regardless of the hacked bridge. Now there are of course other implications, the main one being that the funds that had been transferred through the bridge have been stolen and their rightful owners will mostly have no chance of recovering this lost value. Sometimes there is enough capital to support the project so that the bridge can be disabled and development teams can reimburse users for lost funds, as happened after the Wormhole Bridge hack, but that doesn’t is never guaranteed.

As more and more application-specific blockchains are built and used, the need for bridges will not go away. On the contrary, the demand will only grow for a bridge solution resistant to these attacks. Whether we’ll end up seeing something like a hack-resistant bridge is hard to say, but until a bridge is developed, users will have to weigh the pros and cons of interacting with bridges on different chains. of blocks.

For our full thoughts on all things blockchain, check out our post “Distributed Ledgers and Digital Assets” published September 16, 2021.

Read the original blog Blockchains, bridges and network security August 4, 2022.

Main contributor: Michael Gourd

This content is a product of the Chief Investment Office of UBS.