Crypto-Bridge Hacks Reach Over $1 Billion in Little Over a Year

(Bloomberg) -- The $600 million hack this month of a crypto “bridge” supporting Axie Infinity’s play-to-earn video game highlights the increasingly problematic nature of the arcane software used within the world of digital assets, blockchains and the metaverse.

Weaknesses in bridges, which allow tokens designed for one blockchain to be used on another, has led to more than $1 billion in stolen cryptocurrency in a little more than a year across seven different incidents, according to data compiled by researcher Chainalysis. In the case of the Ronin Bridge, which was recently hacked, the software was adopted to help Axie Infinity’s network accelerate transactions and reduce costs since the underlying Ethereum blockchain wasn’t able to handle the surging demand from gamers quickly or cheaply. 

“Bridges, in my opinion, are the single largest potential point of failure in crypto right now,” said Sam Peurifoy, head of interactive at Hivemind Capital, who also leads the play-to-earn guild Kapital DAO in Axie Infinity.

More than $21 billion is locked on Ethereum bridges, data from Dune Analytics show. Just last month, hackers stole around $300 million from Wormhole, a bridge connecting Ethereum to the Solana blockchain. That same month, the Meter Passport bridge got hacked for several million dollars of crypto. In January, Qubit Finance, a project that enables cross-chain function was hacked. 

In addition to hacks, bridges have proven to be vulnerable to other unique problems. Last year, the Optics bridge on the Celo network ended up being inoperable after its bridge development team effectively lost control of the project.

It’s often hard to figure out who created a particular bridge or who operates it. Developers can be anonymous, and the names of the validators -- a handful of computers that secure the bridge’s transactions -- may be purposefully kept secret. Many are run by organizations with little security staff -- it can take days for an issue to be even discovered. At Ronin, the roughly $600 million theft happened on March 23 but was only discovered on March 29.  

Bridges are becoming increasingly vulnerable as the value of tokens going through them increases. Some 13 years ago, there was only the Bitcoin blockchain. Now, there are thousands of blockchains, each with its own advantages -- such as lower transaction fees -- and with its own army of applications, ranging from nonfungible marketplaces to decentralized crypto exchanges. Investors have to increasingly jump from one chain to another to earn yields or to buy art: Someone who has Ether token may wish to go onto Solana to purchase NFTs or to Polygon to play games, for example.

“I know it sounds like the cross bridges is a bit of a train wreck, but I don’t think it’s as bad as that,” Peter Robinson, a bridge expert at blockchain infrastructure builder ConsenSys, said in an interview before the Ronin hack.

Axie Infinity’s Ronin was built to handle more demand from Axie gamers who are looking for ways to avoid Ethereum’s expensive transaction fees.

“Bridges are an incredibly critical piece of infrastructure at this point,” Kanav Kariya, president of Jump Crypto, said in an interview after the Wormhole hack. “We are strongly moving toward a multi-chain world.” Back in February, Jump Crypto ended up providing more than $300 million of Ether so Wormhole’s users wouldn’t lose funds. A loss of a bridge can reverberate throughout a small blockchain’s ecosystem of apps, all of which may end up with massive losses.

“We’ve invested billions of dollars into the crypto ecosystem,” Kariya said. “Given the possible ripple effects of such a critical piece of infrastructure having a loss, we thought it was critical to step in in the early stages.” 

Ronin’s situation is a bit different. Axie Infinity, created by the Sky Mavis gaming studio, is the chain’s main app, and Sky Mavis also built the Ronin Bridge. The firm said it will reimburse users, also, though exactly how remains unclear.

Ethereum co-founder Vitalik Buterin warned in January that bridges have “fundamental security limits.” Buterin advocates holding native assets on each blockchain they were designed for to keep them safe. But that may not be affordable for many.

One key underlying problem is that most bridges don’t have insurance, and don’t guarantee a reimbursement of funds if they are lost. 

“We don’t provide implicit guarantees,” Yat Siu, co-founder of Animoca Brands and an investor in Sky Mavis, said in an interview before the Ronin hack. “We think of it as more of a warranty service. If a product ended up being faulty, if you have a faulty car, we’ll give you back your money.”   

©2022 Bloomberg L.P.