cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Over $1.2bn stolen via weak crypto ‘bridges’, report reveals

According to data from London-based blockchain analysis firm Elliptic, hackers have stolen crypto worth some $1.2 billion from “bridges”, which is more than double from last year’s total.

user iconReporter
Tue, 09 Aug 2022
Over $1.2bn stolen via weak crypto ‘bridges’, report reveals
expand image

Last week, thieves stole an estimated $190 million from US crypto firm Nomad, marked the seventh hack of 2022 targeting an increasingly important cog in the crypto machine – strings of code that help move crypto coins between different applications called Blockchain "bridges".

Commenting on the hacking trend, Ronghui Gu, a professor of computer science at Columbia University in New York and co-founder of cyber security firm CertiK, advises that malicious cyber actors target bugged projects.

"We have to protect so many projects.


"For them (hackers) when they look at one project and there's no bugs, they can simply move on to the next one, until they find a one weak point.

"This is a war where the cyber security firm or the project can't be a winner," Professor Hu said.

According to Reuters, at present, most digital tokens run on their own unique blockchain, essentially a public digital ledger that records crypto transactions.

That risks projects using these coins becoming siloed, reducing their prospects for wide use, and Blockchain bridges aim to tear down these walls.

Backers expect bridges to play a fundamental role in "Web3" the much-hyped vision of a digital future where crypto's enmeshed in online life and commerce.

While Nomad and other companies that make blockchain bridge software have attracted backing, bridges can be the weakest link.

The Nomad hack was the eighth-biggest crypto theft on record, with Steve Bassi, co-founder and CEO of malware detector PolySwarm, adding that, "Blockchain bridges are the most fertile ground for new vulnerabilities."

Other thefts from bridges this year include a $615 million heist at Ronin, used in a popular online game, and a $320 million theft at Wormhole, used in so-called decentralised finance applications.

Just five days before it was hacked, San Francisco-based Nomad announced it had raised $22.4 million from investors including major exchange Coinbase Global (COIN.O). Nomad CEO and co-founder Pranay Mohan called its security model the "gold standard".

Nomad did not respond to requests for comment from Reuters. However, it has confirmed it is working with law enforcement agencies and a blockchain analysis firm to track the stolen funds.

Late last week, it announced a bounty of up to 10 per cent for the return of funds hacked from the bridge. On Saturday, Nomad had recovered over $32 million of the hacked funds as the retrieval process continues.

"The most important thing in crypto is community, and our number one goal is restoring bridged user funds," Mohan added.

"We will treat any party who returns 90 per cent or more of exploited funds as a white hat.

"We will not prosecute white hats," he said, referring to so-called ethical hacker.

Several cyber security and blockchain experts told Reuters that the complexity of bridges meant they could represent an Achilles' heel for projects and applications that used them.

According to Ganesh Swami, CEO of blockchain data firm Covalent in Vancouver, which had some crypto stored on Nomad's bridge when it was hacked, a reason why hackers have targeted these cross-chain bridges of late, is because of the immense technical sophistication involved in creating these kinds of services.

For instance, some bridges create versions of crypto coins that make them compatible with different blockchains, holding the original coins in reserve. Others rely on smart contracts, complex covenants that execute deals automatically.

The code involved in all of these can contain bugs or other flaws, potentially leaving the door ajar for hackers.

Some experts say audits of smart contracts could help to guard against cyber thefts, as well as "bug bounty" programs that incentivise open-sourced reviews of smart contract code.

Others call for less concentration of control of the bridges by individual companies, something they say could bolster resiliency and transparency of code.

The centralised infrastructure of bridges is one of the key attributes that attract hackers. Victor Young, founder and chief architect at US blockchain firm Analog, commented, weighing in on the security incidents.

"Cross-chain bridges are an attractive target for hackers because they often leverage a centralised infrastructure, most of which lock up assets," Young said.

[Related: Palo Alto Networks introduces new Unit 42 MDR service]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.