June 8th, 2022
Many blockchains, such as Bitcoin and Ethereum, were designed to be standalone systems. They provided an immutable digital ledger for recording transactions as well as other features, such as support for smart contracts.
However, all blockchain platforms have their pros and cons, and recent trends have moved toward integration. With a cross-chain bridge, it is possible for a user to transfer their assets between blockchains to take advantage of each one’s unique benefits.
For example, Bitcoin offers a more stable and secure environment for storing cryptocurrency, but transferring value to the Ethereum blockchain enables a user to take advantage of the smart contracts deployed within that environment.
Cross-chain bridges have their advantages, but they also have their downsides. Numerous hacks of cross-chain bridges in recent months (see below for examples) demonstrate that not only are they not completely secure but also that hacks of cross-chain bridges can have knock-on effects on other DeFi projects.
A cross-chain bridge is designed to integrate two blockchains that — in most cases — were never designed to be integrated.
With the exception of blockchains built using a Layer 0 protocol such as Cosmos or Polkadot, blockchains are typically designed as standalone systems that support external integrations via APIs and smart contracts.
Cross-chain bridges are often implemented using smart contracts. To transfer assets across a bridge, a user sends them to a specific account on the blockchain. This triggers a transfer across the bridge which, if approved, causes the assets to be released and sent to the user’s account on the other blockchain.
Hacks of blockchain bridges are typically designed to cause tokens to be released on one blockchain without a corresponding deposit on the other. The main ways in which this can be accomplished are:
A hack of a cross-chain bridge can have a significant impact on the bridge itself. A successful attack involves withdrawing value from the bridge without a corresponding deposit, meaning that the bridge project loses money.
However, the fact that cross-chain bridges span multiple blockchain platforms means that they can have complex effects. By creating interrelationships between blockchains, cross-chain bridges also cause their security to be intertwined. Additionally, the complex relationships between “wrapped” assets on different blockchains make tracking the “true” value of an asset difficult in the wake of an attack.
For example, a successful attack on a blockchain bridge could cause a particular asset to be devalued on one platform but not others, creating significant arbitrage opportunities. This occurred in the case of the Meter.io hack. The hack caused BNB.bsc to be devalued on the BNB chain, but Hundred Finance used the global Chainlink price for the asset. This discrepancy allowed attackers to buy BNB.bsc for cheap and use it as collateral to take out loans of more valuable assets.
Cross-chain bridges link blockchains together often through the use of smart contracts. This makes smart contract audits a vital component of the bridge security process. By identifying and remediating vulnerabilities before code is released onto the blockchain, a smart contract security audit could have prevented many of the largest hacks of cross-chain bridges.
However, security audits of bridge projects shouldn’t stop at just the code. Cross-chain bridges create complex environments, and the interactions between the contracts deployed on various platforms should be taken into account as well. An effective audit requires expert knowledge of all of the affected platforms and in validating the logic of the bridge project and assessing the risks that it poses and faces.