Understanding Crypto Bridges and $1 Billion in Thefts

There’s a reason bridges are more important than an average stretch of road — and why holes in them are more dangerous. As the cryptocurrency world has grown more complex, more and more transactions have come to rely on so-called crypto bridges that enable transactions involving a wide range of tokens. A roughly $600 million hack of the Ronin bridge in March brought the total stolen from bridges in a year’s time to more than $1 billion, a stark reminder that just because something is useful, fast and cheap doesn’t mean it’s safe.

1. What’s a crypto bridge?

A platform that allows tokens designed for one blockchain — the digital ledger that records and verifies transactions conducted using that token — to be used on another. Bridges weren’t needed in crypto’s early days. Some 13 years ago, there was only the Bitcoin blockchain. Now, there are thousands of blockchains, each with its own advantages — such as lower transaction fees — and with its own army of applications, ranging from nonfungible token (NFT) marketplaces to decentralized crypto exchanges. The rising interest in DeFi, in which users often seek to lend or trade a variety of currencies, has increased the need for mechanisms to bridge the gulf between blockchains. More and more investors are seeking to jump from one chain to another to earn yields or to buy art. Someone who has Ether tokens may wish to go onto blockchains that have lower “gas,” or transaction fees than Ethereum, like Solana, to purchase NFTs, or to Polygon to play games, for example.  

2. How do crypto bridges work? 

Most often, by using so-called wrapped coins. Those are tokens that are meant to function as a one-to-one representation of the value of other currencies, similar to stablecoins. Just as a stablecoin like Tether pegs the value of a single token at $1, a token of wrapped Ether is worth whatever a single Ether (the currency of the Ethereum blockchain) is worth. Bridges typically use so-called smart contracts to automatically convert a user’s currency into a wrapped token that can be used on a different blockchain. But if the underlying Ether deposited with a bridge is stolen, the wrapped Ether becomes worthless. 

3. How big is the problem with bridges? 

More than $21 billion is locked on Ethereum bridges, data from Dune Analytics show. On March 23, the Ronin Bridge, which is connected to the popular Axie Infinity online game was attacked, with the hacker stealing 173,600 Ether and 25.5 million USDC tokens in two transactions, for a total take of about $600 million. In February, hackers stole around $300 million from Wormhole, a bridge connecting Ethereum to the Solana blockchain. That same month, the Meter Passport bridge got hacked for several million dollars of crypto. In January, Qubit Finance, a project that enables cross-chain function was hacked. A total of seven bridge hacks have been recorded, according to data compiled by researcher Chainalysis. 

4. Why are bridges so vulnerable?

It’s not only hacks. Bridges have proven to be vulnerable to other unique problems. In 2021, the Optics bridge on the Celo network saw its bridge development team effectively lose control of the project. Figuring out what’s gone wrong or who is responsible for the design or operation of a particular bridge can be hard. Developers can be anonymous, and the names of the validators — a handful of computers that secure the bridge’s transactions — may be purposefully kept secret. Many are run by organizations with little security staff — it can take days for an issue to be even discovered. At Ronin, the theft was only discovered six days later.

5. What does this mean for crypto users? 

They need to be aware that security remains a widespread issue. Fortunately for Wormhole users, its sponsor Jump Crypto ended up covering the bridge’s losses. Axie Infinity creator Sky Mavis said it will cover Ronin Bridge losses, too, without revealing specifics. But such compensation isn’t guaranteed, and shouldn’t be expected. Ethereum co-founder Vitalik Buterin said in January that bridges are insecure, and users need to keep tokens only on blockchains they are native to to stay safe.