Cryptoverse: Blockchain bridges fall into troubled waters
(Corrects spelling of name in paragraph 4)
By Tom Wilson and Medha Singh
Aug 9 (Reuters) - Another day, another hack - and another blockchain bridge burned.
When thieves stole an estimated $190 million from U.S. crypto firm Nomad last week, it was the seventh hack of 2022 to target an increasingly important cog in the crypto machine: Blockchain "bridges" - strings of code that help move crypto coins between different applications.
So far this year, hackers have stolen crypto worth some $1.2 billion from bridges, data from London-based blockchain analysis firm Elliptic shows, already more than double last year's total.
"This is a war where the cybersecurity firm or the project can't be a winner," said Ronghui Gu, a professor of computer science at Columbia University in New York and co-founder of cybersecurity firm CertiK.
"We have to protect so many projects. For them (hackers) when they look at one project and there's no bugs, they can simply move on to the next one, until they find a one weak point."
At present, most digital tokens run on their own unique blockchain, essentially a public digital ledger that records crypto transactions. That risks projects using these coins becoming siloed, reducing their prospects for wide use.
Blockchain bridges aim to tear down these walls. Backers say they will play a fundamental role in "Web3" - the much-hyped vision of a digital future where crypto's enmeshed in online life and commerce.
Yet bridges can be the weakest link.
The Nomad hack was the eighth-biggest crypto theft on record. Other thefts from bridges this year include a $615 million heist at Ronin, used in a popular online game, and a $320 million theft at Wormhole, used in so-called decentralised finance applications.
"Blockchain bridges are the most fertile ground for new vulnerabilities," said Steve Bassi, co-founder and CEO of malware detector PolySwarm.
Nomad and others companies that make blockchain bridge software have attracted backing.
Just five days before it was hacked, San Francisco-based Nomad said it had raised $22.4 million from investors including major exchange Coinbase Global COIN.O . Nomad CEO and co-founder Pranay Mohan called its security model the "gold standard."
Nomad did not respond to requests for comment.
It has said it is working with law enforcement agencies and a blockchain analysis firm to track the stolen funds. Late last week, it announced a bounty of up to 10% for the return of funds hacked from the bridge. It said on Saturday it had recovered over $32 million of the hacked funds so far.
"The most important thing in crypto is community, and our number one goal is restoring bridged user funds," Mohan said. "We will treat any party who returns 90% or more of exploited funds as a white hats. We will not prosecute white hats," he said, referring to so-called ethical hackers.
Several cyber security and blockchain experts told Reuters that the complexity of bridges meant they could represent an Achilles' heel for projects and applications that used them.
"A reason why hackers have targeted these cross-chain bridges of late is because of the immense technical sophistication involved in creating these kinds of services," said Ganesh Swami, CEO of blockchain data firm Covalent in Vancouver, which had some crypto stored on Nomad's bridge when it was hacked.
For instance, some bridges create versions of crypto coins that make them compatible with different blockchains, holding the original coins in reserve. Others rely on smart contracts, complex covenants that execute deals automatically.
The code involved in all of these can contain bugs or other flaws, potentially leaving the door ajar for hackers.
So how best to address the problem?
Some experts say audits of smart contracts could help to guard against cyber thefts, as well as "bug bounty" programmes that incentivise open-sourced reviews of smart contract code.
Others call for less concentration of control of the bridges by individual companies, something they say could bolster resiliency and transparency of code.
"Cross-chain bridges are an attractive target for hackers because they often leverage a centralized infrastructure, most of which lock up assets," said Victor Young, founder and chief architect at U.S. blockchain firm Analog.
Crypto hacks Link
Reporting by Tom Wilson in London and Medha Singh in
Bengaluru; Editing by Pravin Char
면책조항: XM Group 회사는 체결 전용 서비스와 온라인 거래 플랫폼에 대한 접근을 제공하여, 개인이 웹사이트에서 또는 웹사이트를 통해 이용 가능한 콘텐츠를 보거나 사용할 수 있도록 허용합니다. 이에 대해 변경하거나 확장할 의도는 없습니다. 이러한 접근 및 사용에는 다음 사항이 항상 적용됩니다: (i) 이용 약관, (ii) 위험 경고, (iii) 완전 면책조항. 따라서, 이러한 콘텐츠는 일반적인 정보에 불과합니다. 특히, 온라인 거래 플랫폼의 콘텐츠는 금융 시장에서의 거래에 대한 권유나 제안이 아닙니다. 금융 시장에서의 거래는 자본에 상당한 위험을 수반합니다.
온라인 거래 플랫폼에 공개된 모든 자료는 교육/정보 목적으로만 제공되며, 금융, 투자세 또는 거래 조언 및 권고, 거래 가격 기록, 금융 상품 또는 원치 않는 금융 프로모션의 거래 제안 또는 권유를 포함하지 않으며, 포함해서도 안됩니다.
이 웹사이트에 포함된 모든 의견, 뉴스, 리서치, 분석, 가격, 기타 정보 또는 제3자 사이트에 대한 링크와 같이 XM이 준비하는 콘텐츠 뿐만 아니라, 제3자 콘텐츠는 일반 시장 논평으로서 "현재" 기준으로 제공되며, 투자 조언으로 여겨지지 않습니다. 모든 콘텐츠가 투자 리서치로 해석되는 경우, 투자 리서치의 독립성을 촉진하기 위해 고안된 법적 요건에 따라 콘텐츠가 의도되지 않았으며, 준비되지 않았다는 점을 인지하고 동의해야 합니다. 따라서, 관련 법률 및 규정에 따른 마케팅 커뮤니케이션이라고 간주됩니다. 여기에서 접근할 수 있는 앞서 언급한 정보에 대한 비독립 투자 리서치 및 위험 경고 알림을 읽고, 이해하시기 바랍니다.