How hackers take advantage of the 'Bridge' problem

• 

Hackers stole $540 million worth of Etherum and USDC stabelcoin this week, according to cryptocurrency network Ronin. 

The theft is one of the largest in bitcoin history, and hackers stole from a service called the Ronin Bridge. Successful assaults against "blockchain bridges" have become increasingly common in recent years, and the situation with Ronin is a stark reminder of the problem's severity.

Blockchain bridges, often referred to as network bridges, are methods that enable users to transfer digital assets from one blockchain to another. Because cryptocurrencies are often walled and incompatible—you can't make a transaction on the Bitcoin blockchain using Dogecoins—"bridges" have emerged as a critical tool, if not a missing link, in the cryptocurrency economy.

Bridge services "wrap" cryptocurrencies in order to convert them from one form of coin to another. As a result, if you go to a bridge to utilize another currency, such as Bitcoin (BTC), the bridge will spit out wrapped bitcoins (WBTC). It functions similarly to a gift card or a check in that it represents stored value in a flexible alternate format. Bridges require a cryptocurrency coin reserve to underwrite all of those wrapped coins, and that hoard is a prime target for hackers.

James Prestwich, who studies and develops cross-chain communication protocols, stated that “any capital on-chain is subject to attack 24/7/365, so bridges will always be a popular target,” adding that "Bridges will continue to grow because people will always want the opportunity to join new ecosystems. Over time, we’ll professionalize, develop best practices, and there will be more people capable of building and analyzing bridge code. Bridges are new enough that there are very few experts.”

In addition to the Ronin theft, hackers took around $80 million in bitcoin from Qubit Bridge at the end of January, approximately $320 million from Wormhole Bridge at the beginning of February, and $4.2 million from Meter.io Bridge a few days later. Last August, the Poly Network bridge had $611 million in cryptocurrency stolen from it before the attacker returned the funds a few days later. All of these attacks used software weaknesses to siphon cash, but the Ronin Bridge assault had a unique flaw.

Ronin was developed by the Vietnamese company Sky Mavis, which develops the popular NFT-based video game Axie Infinity. In this specific bridge hack, hackers used social engineering and tricked their way into accessing the private encryption keys to verify transactions. The keys were set up in a less than rigorous manner, which made their withdrawals successful.

In its statement regarding the incident, Ronin stated that the company is "not immune to exploitation, and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats."

The breach was discovered the same day, but "validator nodes" were compromised on March 23. 173,600 Ethereum and 25.5 million USDC were stolen. Ronin Bridge has been out of service since with users unable to perform transactions.