Register now to get free unlimited access to Reuters.com
AUGUST 9 (Reuters) – Another day, another hack and another blockchain bridge caught fire.
When thieves stole an estimated $190 million from US crypto firm Nomad last week, it was the seventh hack of 2022 to target an increasingly important cog in the crypto machine: Blockchain “bridges” – strings of code that help move cryptocurrencies between applications. different. Read more
So far this year, hackers have stolen nearly $1.2 billion worth of crypto from the bridges, data from London-based blockchain analytics firm Elliptic already shows, more than double last year’s total.
Register now to get free unlimited access to Reuters.com
“This is a war in which neither the cybersecurity company nor the winning project can be the winner,” said Rongwe Ho, a professor of computer science at Columbia University in New York and co-founder of cybersecurity firm CertiK.
“We have to protect a lot of projects. For them (the hackers) when they look at one project and there are no errors, they can simply move on to the next project, until they find one weak spot.”
Currently, most digital tokens run on their own unique blockchain, which is essentially a public digital ledger that records crypto transactions. This risks projects using these coins becoming isolated, reducing the potential for widespread use.
Blockchain bridges aim to tear down these walls. Backers say they will play a key role in ‘Web3’ – the very popular vision of a digital future where cryptocurrencies are involved in online life and commerce.
But bridges can be the weakest link.
The Nomad hack was the eighth largest crypto theft on record. Other bridge thefts this year include $615 million theft in Ronin, used in a popular online game, and $320 million in Wormhole, used in so-called decentralized finance applications. Read more
“Blockchain bridges are the most fertile ground for new vulnerabilities,” said Steve Pacey, co-founder and CEO of PolySwarm malware detector.
Achilles heel
Nomad and other companies making blockchain bridge software have attracted support.
Just five days before it was hacked, San Francisco-based Nomad said it had raised $22.4 million from investors including major exchange Coinbase Global. (COIN.O). Nomad CEO and co-founder Pranai Mohan has described its security model as the “gold standard”.
Nomad did not respond to requests for comment.
She said she is working with law enforcement agencies and a blockchain analysis firm to track the stolen funds. Late last week, it announced a reward of up to 10% for returning the hacked funds from the bridge. On Saturday, it said it has recovered more than $32 million in hacked funds so far.
“The most important thing in crypto is the community, and our number one goal is to get back interconnected users’ money,” Mohan said. “We will treat any party that returns 90% or more of the used money as white hats. We will not prosecute white hats,” he said, referring to the so-called morality hackers.
Several cyber and blockchain security experts told Reuters that the complexity of bridges means that they can be the Achilles heel of the projects and applications that use them.
Ganesh Swami, CEO of blockchain data company Covalent in Vancouver, which had some cryptocurrency stored on Nomad’s bridge when it was hacked, said.
For example, some bridges create copies of cryptocurrencies that make them compatible with different block chains, while keeping the original coins in reserve. Others rely on smart contracts, complex pledges that automatically execute deals.
The code involved could have all of these bugs or other flaws, which could leave the door open for hackers.
Bug rewards
So what is the best way to tackle the problem?
Some experts say smart contract audits can help protect against cyber theft, as well as “bug bounty” programs that incentivize open source reviews of smart contract code.
Others call for less focus on bridge control by individual companies, something they say could enhance flexibility and transparency of code.
“Bridges across the chain are an attractive target for hackers because they often take advantage of a centralized infrastructure, most of which locks up assets,” said Victor Young, founder and chief architect of US blockchain firm Analog.
Register now to get free unlimited access to Reuters.com
Additional reporting by Tom Wilson in London and Medha Singh in Bengaluru; Edited by Praveen Shar
Our criteria: Thomson Reuters Trust Principles.
The opinions expressed are those of the author. They do not reflect the views of Reuters News Agency, which is committed under the principles of trust to impartiality, independence and freedom from bias.
“Infuriatingly humble analyst. Bacon maven. Proud food specialist. Certified reader. Avid writer. Zombie advocate. Incurable problem solver.”