Cross-chains in the crosshairs: Hacks call for better defense mechanisms

2022 has been a lucrative year for hackers preying on the nascent Web3 and decentralized finance (DeFi) spaces, with more than $2 billion worth of cryptocurrency fleeced in several high-profile hacks to date. Cross-chain protocols have been particularly hard hit, with Axie Infinity’s $650 million Ronin Bridge hack accounting for a significant portion of stolen funds this year.

The pillaging continued into the second half of 2022 as cross-chain platform Nomad saw $190 million drained from wallets. The Solana ecosystem was the next target, with hackers gaining access to the private keys of some 8000 wallets that resulted in $5 million worth of Solana (SOL) and Solana Program Library (SPL) tokens being pilfered.

deBridge Finance managed to sidestep an attempted phishing attack on Monday, Aug. 8, unpacking the methods used by what the firm suspects are a wide-ranging attack vector used by North Korean Lazarus Group hackers. Just a few days later, Curve Finance suffered an exploit that saw hackers reroute users to a counterfeit webpage that resulted in the theft of $600,000 worth of USD Coin (USDC).

Multiple points of failure

The team at deBridge Finance offered some pertinent insights into the prevalence of these attacks, given that a number of their team members previously worked for a prominent anti-virus company.

Co-founder Alex Smirnov highlighted the driving factor behind the targeting of cross-chain protocols, given their role as liquidity aggregators that fulfill cross-chain value transfer requests. Most of these protocols look to aggregate as much liquidity as possible through liquidity mining and other incentives, which has inevitably become a honey-pot for nefarious actors:

“By locking a large amount of liquidity and inadvertently providing a diverse set of available attack methods, bridges are making themselves a target for hackers.”

Smirnov added that bridging protocols are middleware that relies on the security models of all the supported blockchains from which they aggregate, which drastically increases the potential attack surface. This alsmakes it possible to perform an attack in one chain to draw liquidity from others.

Smirnov added that the Web3 and cross-chain space is in a period of nascence, with an iterative process of development seeing teams learn from others’ mistakes. Drawing parallels to the first two years in the DeFi space where exploits were rife, the deBridge co-founder conceded that this was a natural teething process:

“The cross-chain space is extremely young even within the context of Web3, so we’re seeing this same process play out. Cross-chain has tremendous potential and it is inevitable that more capital flows in, and hackers allocate more time and resources to finding attack vectors.”

The Curve Finance DNS hijacking incident also illustrates the variety of attack methods available to nefarious actors. Bitfinex chief technology officer Paolo Ardoino told the industry needs to be on guard against all security threats:

“This attack demonstrates once again that the ingenuity of hackers presents a near and ever-present danger to our industry. The fact that a hacker is able to change the DNS entry for the protocol, forwarding users to a fake clone and approving a malicious contract says a lot for the vigilance that must be exercised.”

Stemming the tide

With exploits becoming rife, projects will no doubt be considering ways to mitigate these risks. The answer is far from clear-cut, given the array of avenues attackers have at their disposal. Smirnov likes to use a “swiss cheese model” when conceptualizing the security of bridging protocols, with the only way to execute an attack is if a number of “holes” momentarily line up.

“In order to make the level of risk negligible, the size of the hole on each layer should be aimed to be as minimal as possible, and the number of layers should be maximized.”

Again this is a complicated task, given the moving parts involved in cross-chain platforms. Building reliable multilevel security models requires understanding the diversity of risks associated with cross-chain protocols and the risks of supported chains.

The chief threats include vulnerabilities with the consensus algorithm and codebase of supported chains, 51% attacks and blockchain reorganizations. Risks to the validation layers could include the collusion of validators and compromised infrastructure.

Software development risks are also another consideration with vulnerabilities or bugs in smart contracts and bridge validation nodes key areas of concern. Lastly, deBridge notes protocol management risks such as compromised protocol authority keys as another security consideration.

“All these risks are quickly compounded. Projects should take a multi-faceted approach, and in addition to security audits and bug bounty campaigns, lay various security measures and validations into the protocol design itself.”

Social engineering, more commonly referred to as phishing attacks, is another point to consider. While the deBridge team managed to thwart this type of attack, it still remains one of the most prevalent threats to the wider ecosystem. Education and strict internal security policies are vital to avoid falling prey to these cunning attempts to steal credentials and hijack systems.

Main, News