DeFi security: How trustless bridges can help protect users
Blockchain bridges allow decentralized finance (DeFi) users to use the same tokens across multiple blockchains. For example, a trader can use USD Coin (USDC) on the Ethereum or Solana blockchains to interact with the decentralized applications (DApps) on those networks.
While these protocols may be convenient for DeFi users, they are at risk of exploitation by malicious actors. For example, in the past year, the Wormhole bridge — a popular cross-chain crypto bridge between Solana, Ethereum, Avalanche and others — was hacked, with attackers stealing over $321 million worth of wrapped Ethereum (wETH), the largest hack in DeFi history at the time.
Just over a month later, on March 23, 2022, the Ronin Network bridge — Axie Infinity’s Ethereum-based sidechain — was hacked for over $620 million, and on Aug. 2, the Nomad bridge was hacked for over $190 million. In total, over $2.5 billion was stolen from cross-chain bridges between 2020 and 2022.
Trustless bridges, known as noncustodial or decentralized bridges, could improve users’ security of cross-chain transfers.
What is a blockchain bridge?
A cross-chain bridge is a technology that allows sending of assets or data from one blockchain network to another. These bridges allow two or more separate blockchain networks to talk to each other and share information. The interoperability provided by cross-chain bridges makes it possible to move assets from one network to another.
Recent: SEC vs. Kraken: A one-off or opening salvo in an assault on crypto?
Most bridging technologies use smart contracts on both blockchains to make cross-chain transactions possible.
Cross-chain bridges can move many assets, such as cryptocurrencies, digital tokens and other data. Using these bridges makes it easier for different blockchain networks to work together and for users to take advantage of each network’s unique features and benefits.
Trusted bridges vs. Trustless bridges
When it comes to bridging protocols, there are two main types, centralized (trusted) bridges and decentralized (trustless) bridges. Trusted bridges are managed by centralized entities that take custody of the tokens once they are transferred to the bridge. A major risk with custodial bridges is the single point of failure (the centralized custodian), which makes it an easier target for hacking attempts.
Instead of using centralized custodians to transfer tokens across blockchains, trustless bridges use smart contracts to complete the process.
Smart contracts are automated programs executing certain actions once the conditions are met. Due to this, trustless bridges are seen as a safer alternative since each user maintains custody of their tokens during the transfer process.
However, trustless bridges can still be compromised if the smart contract code has vulnerabilities not identified and fixed by the development team.
Pascal Berrang, blockchain researcher and core developer at Nimiq, a blockchain-based payment protocol, told Cointelegraph, “In general, the use of cross-chain bridges introduces additional risks over the use of a single blockchain.”
“It increases the attack surface through blockchains, potential custodians and smart contracts. There are various types of cross-chain bridges, which come with different trade-offs in terms of these risks.” He continued:
“Cross-chain bridges naturally involve two or more blockchains, typically using distinct security mechanisms. Hence, the security of bridged assets depends on the weakest blockchain involved in the bridge. For example, if one of the blockchains is attacked, it would make it possible to revert a cross-chain swap on one of the chains but not on the other – resulting in an imbalance of assets.”Berrang also stressed the vulnerabilities connected to the bridged assets being locked into the bridge. “Funds are usually stored or locked in a central place, constituting a single failure point. Depending on the type of the bridge, these funds are subject to different risks: In a smart-contract-based bridge, bugs in those contracts can make bridged assets worthless,” Berrang said.
“An example could be a bug that allows infinite minting of new bridged tokens. Bridges that trusted custodians operate are subject to counterparty risks if the custodians misbehave or their keys are stolen,” he added.
Jeremy Musighi, head of growth at Balancer, an automated market maker, believes that additional risks lie in the complexity of blockchain bridges, telling Cointelegraph that “Cross-chain bridges come with several significant risks. Security is one of the biggest risks; due to the complexity and difficulty of implementing cross-chain bridges, they’re prone to errors and vulnerabilities that malicious actors can exploit to steal assets or perform other malicious actions.”
Musighi also noted that scalability issues pose further risks for the bridging process, stating, “Another risk is scalability, as cross-chain bridges may not be able to handle large amounts of traffic, leading to delays and increased costs for users.”
Protecting bridges against exploits
Developers can prevent cross-chain bridges from being hacked by implementing several security measures that help ensure the transferred assets’ confidentiality, integrity and authenticity.
One of the most important measures is to ensure that the smart contract code that forms the core of cross-chain bridges is secure and free from vulnerabilities. This can be achieved through regular security audits, bug bounty programs and code reviews, which help identify and fix potential security issues.
Another measure developers can take is using cryptographic algorithms, such as digital signatures and hash functions, to secure the transfer of assets and information between different blockchain networks. This helps to ensure that the transferred assets are protected and that any malicious actors cannot interfere with the transfer process.
Moreover, regular network monitoring is essential to detect suspicious activity and prevent attacks. By monitoring the network, developers can detect any security issues and take appropriate action to resolve them before they cause any harm.
Finally, developing and deploying secure cross-chain bridges requires following best practices, such as secure coding practices, testing and debugging, and secure deployment methods. In doing so, developers can help ensure cross-chain bridges’ security and stability.
Preventing cross-chain bridges from being hacked requires a combination of secure code, cryptographic algorithms, robust consensus mechanisms, network monitoring and following best practices.
Are trustless bridges a better solution?
Trustless bridges can provide a safer solution for bridging assets across blockchains only if the smart contract code has been fully audited to ensure no vulnerabilities are present.
The main security benefit of trustless bridges is that users maintain custody of their tokens during the whole process, with smart contracts taking care of the transfer process. Additionally, the lack of a central authority to lock up the tokens makes the bridges harder to attack since there is no single point of failure.
Recent: Binance banking problems highlight a divide between crypto firms and banks
Musighi told Cointelegraph, “I generally consider trustless bridges to be safer than trusted bridges since they operate transparently and rely on a decentralized network to validate and facilitate the transfer of assets between chains, whereas trusted bridges rely on a centralized third party, which means there is a single point of failure and a concentrated attack surface for hackers to target.”
“Trustless bridges are easier to audit and come with the clear benefit of trust minimization. Since many centralized bridges also leverage (simpler) smart contracts, trustless bridges can be considered a less risky but not risk-free option,” Berrang said.
As the decentralized finance space matures, developers must take additional measures toward securing cross-chain bridges. However, as crypto users become more interested in self-custody and decentralization, trustless bridges may grow in popularity.