304 North Cardinal St.
Dorchester Center, MA 02124
There is a gaping hole in the security architecture of the crypto industry, and even the deepest players haven’t figured out how to plug it.
The weakness being considered is what is known in industry parlance as a cross-chain bridge – software that allows crypto tokens to move between different blockchains.
On Thursday, a hacker obtained about $100 million through a bridge used by Binance Holdings Ltd., the largest crypto exchange.
“The worrying thing is that Binance is not crazy, Binance has the capital, the resources and is able to hire the best,” said Paddy Cerri, chief architect of blockchain startup Minima. “If they can’t do it, who exactly can build a safe bridge?”
A total of 2 million Binance Coins – the equivalent of nearly $570 million – were effectively minted and looted by the hacker. Binance said in a statement that the incident was isolated to BNB Chain, over which it has no control. About $100 million of the stolen funds have not been recovered, while the rest has been frozen, according to the statement. No user funds were lost, Binance added.
The inability to secure bridges — Chainalysis estimates that $2 billion worth of tokens have been looted in 13 separate attacks, most of which have been stolen this year — presents a major dilemma because without such platforms, the main blockchains from Ethereum to Solana remain largely separate from each other . Billed by the protagonists as the next iteration of the Internet, the vision behind web3 rests in part on tokens flowing freely between different ecosystems.
According to Kunal Goel, a research analyst at Messari, demand for the technology is underpinned by protocols built on cross-chain bridges and interoperability, which have raised around $347 million in 30 deals since 2021. LayerZero had the largest deal, raising $135 million, but most of the deals were seed rounds, Goel said.
But even the well-funded bridges built specifically for “safety first” were not spared. In August, one such bridge called Nomad — which uses a method for verifying transactions that it says is more secure than those used by other cross-chain platforms — was hit by a $200 million hack.
One of the main challenges in building secure bridges is their complexity, which gives hackers many potential entry points. And there are few skilled professionals who can build and secure them, security analysts and blockchain developers say. Bridge developers must not only have a deep understanding of how the software works, but also the workings of the various blockchains it connects to. Finding someone with this know-how is not easy, according to analysts and programmers.
“I’ve studied distributed computing and consensus, and I still have to say that I don’t understand bridges very well,” said Paul Frambot, chief executive of crypto startup Morpho Labs, which developed the new protocol. “It’s very hard to understand it well, which makes it even harder to create a safe one.”