2022 has been a lucrative year for hackers preying on the nascent Web3 and decentralized finance (DeFi) spaces, with more than $2 billion worth of cryptocurrency fleeced in several high-profile hacks to date. Cross-chain protocols have been particularly hard hit, with Axie Infinity’s $650 million Ronin Bridge hack accounting for a significant portion of stolen funds this year.
The pillaging continued into the second half of 2022 as cross-chain platform Nomad saw $190 million drained from wallets. The Solana ecosystem was the next target, with hackers gaining access to private keys of some 8000 wallets that resulted in $5 million worth of Solana (SOL) and Solana Program Library (SPL) tokens being pilfered.
deBridge Finance managed to sidestep an attempted phishing attack on Aug. 8, unpacking the methods used by what the firm suspects are a wide-ranging attack vector used by North Korean Lazarus Group hackers. Just a few days later, Curve Finance suffered an exploit that saw hackers reroute users to a counterfeit webpage that resulted in the theft of $600,000 worth of USDC.
Multiple points of failure
The team at deBridge Finance offered some pertinent insights into the prevalence of these attacks in correspondence with Cointelegraph, given that a number of their team members have previously worked for a prominent anti-virus company.
Co-founder Alex Smirnov highlighted the driving factor behind the targeting of cross-chain protocols, given their role as liquidity aggregators that fulfill cross-chain value transfer requests. Most of these protocols look to aggregate as much liquidity as possible through liquidity mining and other incentives, which has inevitably become a honey-pot for nefarious actors:
“By locking a large amount of liquidity and inadvertently providing a diverse set of available attack methods, bridges are making themselves a target for hackers.”
Smirnov added that bridging protocols are middleware that relies on security models of all supported blockchains from which they aggregate, which drastically increases the potential attack surface. This makes it possible to perform an attack in one chain in order to draw liquidity from others.
Smirnov added that the Web3 and cross-chain space is in a period of nascence, with an iterative process of development seeing teams learn from others’ mistakes. Drawing parallels to the first two years in the DeFi space where exploits were rife, the deBridge co-founder conceded that this was a natural teething process:
“The cross-chain space is extremely young even within the context of Web3, so we’re seeing this same process play out. Cross-chain has tremendous potential and it is inevitable that more capital flows in, and hackers allocate more time and resources to finding attack vectors.”
The Curve Finance DNS hijacking incident also illustrates the variety of attack methods available to nefarious actors. Bitfinex CTO Paolo Ardoino told Cointelegraph the industry needs to be on guard to all security threats:
“This attack demonstrates once again that the ingenuity of hackers presents a near and ever-present danger to our industry. The fact that a hacker is able to change the DNS entry for the protocol, forwarding users to a fake clone and approving a malicious contract says a lot for the vigilance that must be exercised.”
Stemming the tide
With exploits becoming rife, projects will no doubt be considering ways to mitigate these risks. The answer is far from clear-cut, given the array of avenues attackers have at their disposal. Smirnov likes to use a ‘swiss cheese model’ when conceptualizing the security of bridging protocols, with the only way to execute an attack is if a number of “holes” momentarily line up.
“In order to make the level of risk negligible, the size of the hole on each layer should be aimed to be as minimal as possible, and the number of layers should be maximized.”
Again this is a complicated task given the moving parts involved in cross-chain platforms. Building reliable multi-level security models requires understanding the diversity of risks associated with cross-chain protocols and risks of supported chains.
Chief threats include vulnerabilities with the consensus algorithm and codebase of supported chains, 51% attacks and blockchain reorganizations. Risks to the validation layers could include collusion of validators and compromised infrastructure.
Software development risks are also another consideration with vulnerabilities or bugs in smart contracts and bridge validation nodes key areas of concern. Lastly, deBridge notes protocol management risks such as compromised protocol authority keys as another security consideration.
“All these risks are quickly compounded. Projects should take a multi-faceted approach, and in addition to security audits and bug bounty campaigns, lay various security measures and validations into the protocol design itself.”
Social engineering, more commonly referred to as phishing attacks, is another point to consider. While the deBridge team managed to thwart this type of attack, it still remains one of the most prevalent threats to the wider ecosystem. Education and strict internal security policies are vital to avoid falling prey to these cunning attempts to steal credentials and hijack systems.