This article is more than one year old

DeFi hackers stole $3.2bn last year amid 35% surge in ‘bridge’ exploits

Hackers stole more than $3.2 billion from decentralised finance protocols in 2022. So-called crypto bridges were the biggest victim, suffering losses of over $1.8 billion.

Bridges, which became popular in 2021, are a kind of DeFi protocol that allows users to send tokens from one blockchain to another. They work by allowing users to deposit tokens on one side of the bridge to “mint” an equivalent token on the other.

Bridges became essential during the 2021 bull market as multiple “Layer 1″ blockchains – like Solana, Terra and Avalanche – competed for a finite amount of on-chain liquidity. By creating bridges, these blockchains offered users an easy way to bring tokens into their ecosystems fostering activity and helping their valuations balloon.

But there were weaknesses. Hackers seized on vulnerabilities in hastily built bridges to perpetrate multiple nine-figure exploits in 2022. Bridge developers are rushing to plug the holes to shut down hacks – but demand is only increasing.

Monthly sum stolen from DeFi protocols

“Most bridges are built with the Web2 mindset of, ‘Move fast and break things,’” said Ryan Zarick, co-founder and CTO of LayerZero Labs. His company built its own crypto bridge called Stargate, designed to mitigate some of the risks associated with bridges. “This is the wrong mental model; with every transaction being final, a single bug could cost hundreds of millions of dollars.”

“Bridges are an attractive target,” said Erin Plante, VP of Investigations at crypto security firm Chainalysis. She said bridges often feature a central storage point where deposited tokens are held. “Regardless of how those funds are stored – locked up in a smart contract or with a centralised custodian – that storage point becomes a target.”

‘Bridges have proven themselves to be a risky space, but they needn’t be’

In February, the first major bridge exploit occurred when a hacker targeted the Wormhole bridge that connected Solana to several other blockchains. The attacker spoofed the permissions required to mint Wormhole bridge tokens and tricked the protocol into giving away over 120,000 ETH, worth approximately $322 million at the time.

Before Wormhole launched in summer 2021, Solana auditing firm Neodyme conducted a code review, but published its findings only a month before the hack. Despite the fact that the protocol had three more reviews pending at that time, Wormhole’s developers still allowed users to deposit millions of dollars worth of crypto into it.

Join the community to get our latest stories and updates

Other bridge builders have also expressed criticism toward projects that brought bridges to market before ensuring they were safe.

“Bridges have proven themselves to be a risky space, but they needn’t be,” said Clayton Roche, Head of Communications at the Ethereum Layer 2 bridge Across Protocol. “The temptation to offer immediate results without proper security concerns was responsible for this. Hopefully the bear-market atmosphere will lend itself to fewer reckless builds.”

Wormhole wasn’t the only crypto bridge to suffer a major hack due to a code exploit last year. In August, hackers looted the Nomad bridge for $190 million. And in October, the BNB Chain bridge suffered a $570 million exploit, although the attacker was only able to make off with approximately $110 million before the network’s validators – who process transactions – froze the chain.

‘There were a lot of big hacks this year that had nothing to do with smart contract bugs’

However, not all of this year’s bridge hacks were due to shoddy code.

In addition to code vulnerabilities in bridges, more hackers have started targeting weaknesses in private keys, which are unique password-like codes that allow a user to access and manage their tokens.

“There were a lot of big hacks this year that had nothing to do with smart contract bugs,” a pseudonymous whitehat hacker kankodu told DL News.

According to kankodu, the increase in private key hacks is likely due to more hackers outside of the crypto space seeing it as a lucrative target. “I think it’s because more Web2 hackers are taking a stab at hacking DeFi protocols,” he said.

Previously, hacks had come mainly from within the DeFi community, as attackers need a deep technical knowledge of crypto to find and take advantage of exploits. But as the amounts locked in DeFi protocols ballooned, bridges that hold funds in multi-signature wallets – which only require a basic understanding of crypto to break into after obtaining the private keys – have become a target for more conventional hackers.

One such organisation to use more conventional hacking techniques is Lazarus Group, a North Korean state-sponsored crime syndicate. The group carried out the largest hack of 2022 in March, stealing $624 million from the Ronin Network bridge that connects play-to-earn game Axie Infinity to Ethereum, then compromised the Harmony Horizon bridge in June for $100 million.

According to the US Cybersecurity and Infrastructure Agency (CISA), Lazarus used social engineering techniques “to encourage individuals to download trojanized cryptocurrency applications.” This allowed the group to “gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps.”

‘These [multi-signature-backed] bridges have single points of failure’

The Ronin and Horizon bridges both opted to store assets in multi-signature wallets instead of using on-chain smart contracts, as this method was easier and quicker to build. This means that if a hacker gets hold of the private keys controlling the wallet, they can transfer assets out at will.

“These [multi-signature-backed] bridges have single points of failure,” said Hop protocol co-founder Chris Whinfrey, whose protocol specialises in bridging tokens between Ethereum and its Layer 2 networks. Whinfrey explained that bridges using multi-signature wallets face adversity from some of the world’s best hackers, adding that Hop’s security is rooted entirely on-chain to avoid the issue.

Before 2022, compromised private key hacks used to be rare. However, the rise of hackers like Lazarus Group is changing the status quo.

But despite an abysmal track record on security, bridge builders continue competing for market share. Every day millions of dollars worth of assets are transferred through crypto bridges, and those managing them receive a small fee for every transaction. According to global investment manager VanEck, the crypto bridging sector will be worth $174.1 billion by 2030.

Unless all blockchain activity suddenly coalesces in a single place – an unlikely scenario given the near-constant development of new blockchains – the demand for crypto bridges will continue to grow. “Bridges are a critical piece of Web3 infrastructure,” said Roche. “The need for them is not going anywhere.”