Nomad hack shows cross-chain bridges still vulnerable

Nomad hack shows cross-chain bridges still vulnerable

? Cross-chain bridges play an important role in building a multi-blockchain world, but they need to evolve.

Cross-chain bridges are protocols that allow users transfer assets and information between different blockchains, and they are now hackers’ favorite prey. Last week’s exploit of Nomad was 13th of this type so far in 2022, bringing the total amount of crypto stolen to a whopping $2 billion. As per Chainalysis data, cross-chain bridges hacks now account for 69% of total crypto theft this year.

? The reason the bridges have become so covetable for the hackers is that they introduce a point of centralization, through which a lot of value flows. Most bridges are quite straightforward: a smart contract freezes users’ funds on one chain, and another smart contract issues their “wrapped” equivalent on another chain. Finding a bug in one of these contracts equals hitting a jackpot, and most of the bridges’ hacks, be it Nomad, Wormhole or Qbridge, follow this scenario.

⚠️ Centralization = danger, which suggests that decentralized bridges could do a better job.

Some protocols like Multichain or cBridge try to avoid the single point failure problem by introducing blockchain-like mechanisms managing the funds on both sides of the bridge. However, code bugs are unforgiving for any type of protocol, and Multichain’s code vulnerability was exploited in the beginning of the year.

The notion of decentralization is to be taken seriously, as showed by the famous hack of Axie Infinity’s Ronin bridge. $620 million was the price to pay for realizing that such a critical structure as a bridge needs more than 9 validators, 4 of which work in the same company: a hacker infiltrated Sky Mavis’ employee’s computer via a phishing job offer and got access to their private key, as well as the keys of their coworkers and even the one belonging to Axie DAO, which allowlisted Sky Mavis last year. Since the incident, the Ronin bridge was redesigned, and its developers announced their intention to increase the number of validators to 24 (they have registered 19 so far).

Every hack of a crypto protocol is harming the whole space, and cross-chain bridges need to seriously reconsider their structure to reduce their points of failure. In the long term, bridging protocols with most chances to succeed could be those that will achieve true decentralization.