Cryptocurrency-bridge hacks top $1.36 billion in little over a year

NEW YORK (BLOOMBERG) – The hack of a so-called bridge supporting Axie Infinity’s play-to-earn game revealed last week highlights the increasingly problematic nature of the arcane software used within the burgeoning world of cryptocurrencies, blockchains and the metaverse.

Weaknesses in bridges, which allow tokens designed for one blockchain to be used on another, have led to more than US$1 billion (S$1.36 billion) in stolen cryptocurrency in a little more than a year across seven different incidents, according to data compiled by researcher Chainalysis.

In the case of the Ronin Bridge, which was recently hacked, the software was adopted to help Axie Infinity’s network accelerate transactions and reduce costs since the underlying Ethereum blockchain was not able to handle the surging demand from gamers quickly or cheaply. “Bridges, in my opinion, are the single largest potential point of failure in crypto right now,” said Mr Sam Peurifoy, head of interactive at Hivemind Capital, who also leads the play-to-earn guild Kapital DAO in Axie Infinity.

More than US$21 billion is locked on Ethereum bridges, data from Dune Analytics shows. In February, hackers stole around US$300 million from Wormhole, a bridge connecting Ethereum to the Solana blockchain. That same month, the Meter Passport bridge got hacked for several million dollars of crypto. In January, Qubit Finance, a project that enables cross-chain function was hacked. In addition to hacks, bridges have proven to be vulnerable to other unique problems.

Last year, the Optics bridge on the Celo network ended up being inoperable after its bridge development team effectively lost control of the project.

It is often hard to figure out who created a particular bridge or who operates it.

Developers can be anonymous, and the names of the validators – a handful of computers that secure the bridge’s transactions – may be purposefully kept secret. Many are run by organisations with little security staff – it can take days for an issue to even be discovered. At Ronin, the roughly US$600 million theft happened on March 23 but was only discovered on March 29. Bridges are becoming increasingly vulnerable as the value of tokens going through them increases. Some 13 years ago, there was only the Bitcoin blockchain.

Now, there are thousands of blockchains, each with their own advantages – such as lower transaction fees – and with their own army of applications, ranging from non-fungible marketplaces to decentralised crypto exchanges.

Investors have to increasingly jump from one chain to another to earn yields or to buy art: Someone who has Ether token may wish to go onto Solana to purchase non-fungible tokens (NFTs) or to Polygon to play games, for example.

“I know it sounds like the cross bridges are a bit of a train wreck, but I don’t think it’s as bad as that,” Mr Peter Robinson, a bridge expert at blockchain infrastructure builder ConsenSys, said in an interview before the Ronin hack.

Axie Infinity’s Ronin was built to handle more demand from Axie gamers who are looking for ways to avoid Ethereum’s expensive transaction fees.

“Bridges are an incredibly critical piece of infrastructure at this point,” Mr Kanav Kariya, president of Jump Crypto, said in an interview after the Wormhole hack. “We are strongly moving towards a multi-chain world.”