Is there a safe future for cross-chain bridges?
The plane lands and stops. On their way to passport control, one of the passengers stops at a vending machine to buy a bottle of soda – but the device is utterly oblivious to all their credit cards, cash, coins and all the rest. rest. It’s all part of an alien economy as far as the machine goes, and as such they can’t even buy a drop of Coke.
In the real world, the machine would have been satisfied with a Mastercard or a Visa. And the currency exchange office at the airport would have been just as happy to come to the rescue (with a big markup, of course). In the blockchain world, however, the above scenario strikes a chord with some commentators, as long as we trade trips abroad to move assets from one chain to another.
While blockchains as decentralized ledgers are quite good at tracking transfers of value, each Layer 1 network is an entity unto itself, ignoring any non-intrinsic events. Since these chains are, by extension, separate entities from each other, they are not inherently interoperable. This means that you cannot use your Bitcoin (BTC) to access a decentralized finance (DeFi) protocol from the Ethereum ecosystem unless the two blockchains can communicate.
This communication is powered by a bridge, a protocol that allows users to transfer their tokens from one network to another. Bridges can be centralized – that is, operated by a single entity, like the Binance Bridge – or built in varying degrees of decentralization. In any case, their main task is to allow the user to move their assets between different chains, which means more utility and, therefore, value.
As convenient as the concept may seem, it’s not the most popular with many in the community right now. On the one hand, Vitalik Buterin recently expressed his skepticism towards the concept, warning that cross-chain bridges can enable 51% cross-chain attacks. On the other hand, spoofing-based cyberattacks on cross-chain bridges exploiting their smart contract code vulnerabilities, as was the case with Wormhole and Qubit, have prompted critics to wonder whether the bridges cross-chain may be more than a security issue in purely technological environments. terms. So, is it time to abandon the idea of an internet of blockchains held together by bridges? Not necessarily.
Related: Crypto, like railroads, is among the best global millennial innovations
When contracts get too smart
Although the details depend on the specific project, a cross-chain bridge connecting two chains with smart contract support normally works like this. A user sends their tokens (let’s call them Catcoins, felines are cool too) on channel 1 to the bridge wallet or smart contract there. This smart contract must pass the data to the bridge smart contract on chain 2, but since it is unable to reach it directly, a third-party entity – a centralized or (to some extent) decentralized intermediary – must pass the message. Chain 2’s contract then creates synthetic tokens in the wallet provided by the user. Lo and behold, the user now has their Catcoins wrapped on channel 2. It’s a bit like exchanging fiat for tokens in a casino.
To retrieve their Catcoins on Chain 1, the user must first send the synthetic tokens to the bridge’s contract or wallet on Chain 2. Then a similar process takes place, as the intermediary pings the bridge’s contract. bridge on chain 1 to release the appropriate amount of Catcoins to a given target wallet. On Chain 2, depending on the exact design and business model of the bridge, synthetic tokens that a user turns in are either burned or held.
Keep in mind that each step in the process is actually broken down into a linear sequence of smaller actions, even the initial transfer is done in stages. The network must first check if the user has enough Catcoins, subtract them from their wallet, and then add the appropriate amount to that of the smart contract. These steps are the overall logic that handles the value moved between strings.
In the case of the Wormhole and Qubit bridges, attackers were able to exploit flaws in smart contract logic to feed spoofed data to the bridges. The idea was to get the synthetic tokens on chain 2 without depositing anything on the chain 1 bridge. And honestly, both hacks boil down to what happens in most attacks against DeFi services: exploit or manipulate the logic feeding a specific process for financial services. Gain. An inter-chain bridge connects two Layer 1 networks, but things also work the same between Layer 2 protocols.
For example, when you stake a non-native token in a yield farm, the process involves an interaction between two smart contracts – those that power the token and the farm. If underlying footage has a logic flaw that a hacker can exploit, the criminal will, and that’s exactly how GrimFinance lost some $30 million in December. So if we’re ready to say goodbye to cross-chain bridges due to several flawed implementations, we might as well silo smart contracts, returning crypto to its stone age.
Related: DeFi attacks are on the rise – Will the industry be able to stem the tide?
A steep learning curve to master
There’s a bigger point to make here: don’t blame a concept for a flawed implementation. Hackers always follow the money, and the more people use cross-chain bridges, the more incentive they have to attack such protocols. The same logic applies to anything of value that is connected to the Internet. Banks are also hacked, and yet we are in no rush to shut them all down, as they are a crucial part of the economy as a whole. In the decentralized space, cross-chain bridges also have a major role, so it would make sense to restrain our fury.
Blockchain is still a relatively new technology, and the community around it, as large and brilliant as it is, is just discovering the best security practices. This is even more true for cross-chain bridges, which work to connect protocols with different underlying rules. At present, it is a nascent solution opening the door to the transfer of value and data over networks that are something greater than the sum of its parts. There’s a learning curve, and it’s worth mastering.
While Buterin’s argument, for its part, goes beyond implementation, it is still not without caveats. Yes, a malicious actor controlling 51% of the hash rate or staked tokens of a small blockchain could try to steal ether (ETH) locked to the bridge at the other end. The attack volume would hardly exceed the market capitalization of the blockchain, as this is the hypothetical maximum limit of the amount the attacker can deposit into the bridge. Smaller chains have smaller market caps, so the resulting damage to Ethereum would be minimal and the return on investment for the attacker would be questionable.
While most cross-chain bridges today are not without flaws, it is too early to discount their underlying concept. Besides regular tokens, these bridges can also move other assets, from non-fungible tokens to zero-knowledge proofs of identification, making them extremely valuable to the entire blockchain ecosystem. Technology that adds value to every project by bringing it to more audiences shouldn’t be seen as purely zero-sum, and its promise of connectivity is worth the risk.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.
The views, thoughts and opinions expressed herein are those of the author alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Lior Lamesh is the co-founder and CEO of GK8, a blockchain cybersecurity company that provides a custodial solution for financial institutions. After honing his cyber skills within Israel’s elite cyber team reporting directly to the Prime Minister’s Office, Lior led the company from inception to a successful acquisition for $115 million in November 2021. In 2022, Forbes put Lior and his business partner Shahar Shamai on its 30 Under 30 list.