Cross-chain Bridging is Broken — But We Know How to Fix It

Kadan Stadelmann is the Chief Technology Officer (CTO) of Komodo (KMD), a decentralized, open-source blockchain and a major player in blockchain interoperability and atomic swap technology.
__________

2022 has illuminated problems in cross-chain bridge architecture

As of August 2022, there’s been $2 billion total in crypto losses, with 69% of stolen crypto funds originating from hacking protocols that bridge different blockchains.

The cross-chain token bridge Nomad, lost $190 million in an exploit a few weeks ago and layer-1 blockchain bridging protocol Harmony Horizon lost $100 million after a hack in June.

Earlier this year, Ronin lost $650 million and Wormhole lost $325 million. The Wormhole hack was caused by a fake deposit exploit. Attackers initiated a fake deposit and fooled the validators into approving a withdrawal of an equal size.

What do these hacks have in common? These bridges all used Automated market maker technology (AMMs). Here are three ways we can make cross-chain bridges safer.

Step 1: Use peer-to-peer bridges instead of AMMs

The major hacks mentioned above could have been avoided using peer-to-peer (P2P)-powered bridges instead of AMMs and here’s why. P2P brides don’t rely upon complex smart contracts or liquidity pools. They use atomic swaps and order books, enabling cross-chain swaps to be completely trustless and decentralized without middlemen. Swaps are described as “atomic” because with each order, either the trade completes and two users exchange funds or the trade doesn’t complete and original funds are distributed back to the two users.

AMMs use liquidity pools, which are essentially centralized pots of money that depend on smart contracts. The pools are the vulnerable element, which can get hacked or rugpulled. P2P bridges do not use pools, meaning user funds are never left vulnerable to these types of exploits.

Step 2: Pay attention to the number of validators for AMM bridges

If an AMM bridge must be used instead of a P2P platform, users should use an AMM bridge with a higher number of validators.

A small group of validators makes it easy for hackers to target. The more validators there are for a bridge, the more decentralized and secure it is.

With the Ronin hack, hackers were able to get control of five of nine validators. The attacker only had to hack one person to get four validators from that device, and then hacked Axie DAO to obtain the 5th validator. The need for only a few signatures bodes little security as there are not enough validators to ensure the integrity of bridge transactions will stay intact.

We need to see more validators on AMM bridges. Using a multi-signature wallet is crucial, but it doesn’t really matter if it only requires an attacker to exploit two or three wallets.

Case in point, the Horizon bridge attacker allegedly took control of the multi-signature wallet leveraged in Harmony’s bridge. Because the bridge was a two-of-five multi-signature scheme, anyone with access to private keys for two of these addresses could take control of the bridge.

Step 3 — Use bridges that have received professional audits

Project developers should take extra precautions and use audits before deploying any bridge. Developers can use real-time threat monitoring solutions to stop or at least mitigate the fallout from hacks. Audit companies also guide developers in the right direction, advising on what changes to make before applications are deployed. Before deploying new smart contracts, it’s essential to battle-test them and be aware of various attack vectors.

Users should research and take control of their funds by only using bridges that have been audited by credible firms, and by reading through the audit reports to catch issues on the bridge that have been noticed and resolved.

Audit companies normally review the project’s smart contract, which holds the contract’s code that interacts with a blockchain and cryptocurrency, to find the most noticeable errors. They pay extra attention to the contract’s stability and efficiency. Auditors may also look at the project team’s financial records including cryptocurrency trade history, bank account statements, credit card payments, loan payments, tuition costs, and insurance payments.

The goal is to elevate the security, privacy, and usability of the blockchain ecosystems.

Practicing digital security

There are five best practices that anyone can do to harden their digital security.

1. Wipe your devices or change to a new device regularly.
2. Use state-of-the-art security like hardware wallets and two-factor authentication apps/devices.
3. Isolate your device environments. Don’t use the same device for work for things like downloading files from finance apps.
4. If you have enough technical expertise, always validate every file or crypto transaction.
5. If you aren’t an expert, hire a whitehat hacker who is.

Weakening the hacker’s power

The most important safety measures for users to follow are to know the type of bridge you’re trading on and where possible, use P2P bridges over AMMs. If you are using an AMM bridge, research the number of validators required to secure a transaction before trusting the bridge and look for professional audits.

In 2020, just two years ago, there was around $4 billion in crypto, now there is about $1 trillion in value of all existing cryptocurrencies.

We will continue to see more money circulated through the crypto ecosystem, so it is essential to establish security and safety protocols for users to actively protect their funds. This will allow the blockchain industry to have a profound foundation to build upon for years to come.

Source