The theft of about $190 million from US cryptocurrency firm Nomad last week was the seventh hacking attack of 2022 against an increasingly important cog in the digital money industry: “blockchain bridges,” sequences of code that help move cryptocurrencies between different applications.
So far this year, hackers have stolen $1.2 billion worth of cryptocurrencies through attacks on these bridges, according to data from British blockchain analytics firm Elliptic.
The amount is already more than double the amount stolen last year.
“This is a war that cybersecurity companies or digital currency projects cannot win,” said Ronghui Hu, professor of computer science at Columbia University in New York and co-founder of cybersecurity firm CertiK.
“We have to protect so many projects. For them (hackers) when they look at a project and there are no bugs, they can just move on to the next one until they find a weak spot.”
Currently, most digital tokens run on their own blockchains, essentially a public database that records cryptocurrency transactions.
This carries the risk of turning projects that use these coins into fiefdoms, reducing their prospects for wider use.
Blockchain bridges aim to overthrow these fiefdoms. Supporters of the technology say it will play a key role in “Web3” — the much-heralded vision of a digital future where cryptocurrencies will be a reality in everyday life and commerce. However, bridges may be the weakest link in that future.
The attack on Nomad was the eighth biggest crypto theft on record so far. Other bridge thefts this year include $615 million from Ronin, the bridge used in the popular online video game Axie Infinity, and $320 million from Wormhole, used in so-called decentralized financial investments.
“Blockchain bridges are the most fertile ground for new vulnerabilities,” said Steve Bassi, co-founder and president of malware detection company PolySwarm.
Nomad and other companies building blockchain bridges have attracted investor support.
Just five days before being targeted, the company raised $22.4 million from investors that included the world’s largest cryptocurrency exchange, Coinbase Global.
Nomad president and co-founder Pranay Mohan called the company’s security model the “gold standard.”
Sought, representatives of Nomad did not manifest.
Nomad previously stated that it is working with authorities and a blockchain analytics company to track the stolen money.
Last week, the company announced a reward of up to 10% for the return of resources stolen from the company’s bridge. The company said on Saturday it had recovered more than $32 million so far.
“The most important thing in the crypto world is the community, and our number one goal is to restore users’ funds,” said Mohan.
“We will treat any party that returns 90% or more of the stolen assets as ‘white hats’. We will not prosecute the ‘white hats'”, said the executive using an expression that designates the so-called “ethical hackers”.
Several e-security and blockchain experts told Reuters that the complexity of the bridges means they can represent an Achilles heel for projects and applications that use them.
“One reason hackers have been targeting these cross-networks lately is because of the immense technical sophistication involved in creating these types of services,” said Ganesh Swami, chief executive of Canadian blockchain data firm Covalent, which had a few cryptocurrencies. stored on Nomad’s bridge when she was targeted by the attack.
For example, some bridges create versions of cryptocurrencies that make them compatible with different blockchains, keeping the original coins in reserve.
Others rely on smart contracts, complex agreements that automatically execute business.
The programming code involved in all of this can be flawed, which potentially leaves the door ajar for hackers.
So, what’s the best way to solve the problem? Some experts say smart contract audits can help protect against digital theft, as can “bug bounty” programs that encourage programming code reviews.
Others call for less concentration of control of bridges by individual companies, something they say can reinforce the resilience and transparency of programming codes.
“Cross bridges are an attractive target for hackers because they often take advantage of a centralized infrastructure that locks assets in most cases,” said Victor Young, founder of US blockchain firm Analog.
Source: CNN Brasil