According to the blockchain analytics firm Chainalysis, 13 separate cross-chain bridge hacks have been registered so far this year, with $2 billion worth of crypto stolen. This type of attack, which now accounts for 69% of crypto theft in 2022, is visibly getting traction.
 
Understanding what cross-chain bridges are and which vulnerabilities of theirs the hackers exploit, can help separate this peculiar danger from the wider DeFi environment, and define its future developments.
 
About cross-chain bridges
 
We live in a multi-blockchain world, each with its specificities and ecosystem. However, most blockchains are closed entities, which creates the need for interoperability protocols that would enable transferring data and tokens from one chain to another. Operations like staking Bitcoin on an Ethereum-based DeFi protocol or transferring ethers to Ethereum’s layer-2 solution Polygon require cross-chain bridges.
 
Most cross-chain bridges work in quite a straightforward way: a coin is frozen on one chain, and its “wrapped” version is created on another. Such coins usually have a “w” in front of their ticker, like wBTC or wETH.
 
However, this approach brings in the dangerous notion of centralization: users must give up control over their token, trusting the protocol that it would correctly create its likeness on another chain. Unsurprisingly, where there’s centralization, hackers abound.
 
What happened to Nomad?
 
The most popular way of exploiting cross-chain bridges is finding a vulnerability in the smart contracts that manage the deposited tokens – and this is exactly what has happened to Nomad.

During a routine upgrade in April, Nomad’s developers initialized the trusted root (mathematical method for confirming the facts on a Merkle tree, used in Ethereum protocol) with zero hash values, which had a side effect of automatically proving every bridge-in transaction without verifying it. Upon the discovery of the bug, all the attackers had to do was finding a transaction that worked, replacing the other person's address with theirs, and then re-broadcast it to the network. 
 
The attack’s “free-for-all” nature did have a positive side to it: ethical hackers have participated in the theft in order to safeguard coins from their less scrupulous peers. After Nomad published a secured address for funds recovery, white hat hackers have returned over $32 million worth of crypto.
 
Building better bridges
 
Bugs and errors are all too common in software protocols. One can always strive for perfection, of course, but centralized protocols will always mean a single point of failure.

One solution to counter it could be the so-called “0-layer” chains like Polkadot (and its faster version Kusama) or Cosmos, which were conceived purposely for supporting numerous blockchains capable of interacting with each other. However, such blockchains do not give an interoperability solution to the existing blockchains like Bitcoin or Ethereum.
 
Another way of avoiding a single point failure is to decentralize the bridge itself. Some existing solutions like cBridge or Anyswap operate as little blockchains, decentralizing important decisions like approving the deposit of funds on one side and releasing their equivalent on the other side. 
 
When it comes to this type of a cross-chain bridge, decentralization must be taken seriously, as the late March hack of Axie Infinity’s Ronin chain has showed. Supposed to be decentralized, the bridge linking Ronin to Ethereum relied on only nine validators, and the hacker managed to get five out of nine private keys necessary to divert the funds (four belonged to the employees of Sky Mavis, Axie’s developer company, and one - to Axie DAO). Since the hack, which was undoubtedly a very traumatic experience for the company with over $600 million worth of crypto stolen, it has been adding validators, recently reaching 19.

Every massive hack of a crypto protocol is harming the whole crypto space, as users are growing distrustful. Cross-chain bridges are certainly the weakest link in the whole ecosystem now, and they are to be used sparingly until the industry develops safer standards. 
 
The open-source nature of crypto leverages the IT brainpower from all over the world, which helps improve the existing protocols and sometimes discover vulnerabilities before the hackers. However, bridging protocols that would have most chances to succeed in the long term would be those that will achieve true decentralization.
Written by D.Center