Is there a secure future for cross-chain bridges?


The plane touches down and comes to a halt. For passport control, one of the passengers stops at a vending machine to buy a bottle of soda—but the device is absolutely indifferent to all their credit cards, cash, coins, and everything else. As far as the machine is concerned, it is all part of a foreign economy and as such they cannot buy a drop of coke.

In the real world, the machine would have been quite happy with a MasterCard or Visa. And the cash exchange desk at the airport would have been just as happy to come to the rescue (with a hefty markup, of course). However, in the world of blockchain, the above scenario turns out to be spot on with some commentators, as long as we travel abroad to move assets from one chain to another.


While blockchains as decentralized ledgers are very good at tracking the transfer of value, each layer-1 network is an entity in itself, unaware of any non-internal events. Since such chains are, by extension, different entities compared to each other, they are not inherently interacting. This means that you cannot use your bitcoin (BTC) to access a decentralized finance (DeFi) protocol from the Ethereum ecosystem unless the two blockchains can communicate.

Powering this communication is a so-called bridge – a protocol that enables users to transfer their tokens from one network to another. Bridges can be centralized – that is, operated by a single entity, such as Binance Bridge – or built to varying degrees of decentralization. Either way, their main function is to enable the user to move their assets between different chains, which means greater utility and thus, value.

As simple as the concept sounds, it is not the most popular with many in the community right now. On the one hand, Vitalik Buterin recently expressed doubts about the concept, warning that cross-chain bridges could enable 51% attacks on cross-chains. On the other hand, spoofing-based cyber attacks on cross-chain bridges exploiting their smart contract code vulnerabilities, as was the case with Wormhole and Qubit, have led critics to wonder whether cross-chain bridges were purely The technicalities may include anything other than security obligations. terms. So, is it time to abandon the idea of ​​the Internet of blockchains held together by bridges? Not necessarily.

related: Crypto, Like Railways, Is One of the World’s Top Innovations of the Millennium

When Contracts Get Too Smart

While the details depend on the specific project, a cross-chain bridge connecting the two chains with smart contract support normally functions like this. A user sends their tokens (let’s call them catcoins, felines are cool too) on Chain1 to a bridge wallet or smart contract. This smart contract has to pass the data to Bridge’s smart contract on Chain 2, but since it is unable to access it directly, a third-party entity – either a centralized or (to a certain extent) decentralized intermediary – One has to take the message across. Chain2’s contract then puts the synthetic token in the wallet provided by the user. There we go – the user now has their wrapped catcoins on Chain 2. It’s like exchanging fiat currency for chips in a casino.

In order to withdraw their Catcoins on Chain 1, users must first send the synthetic tokens to a contract of Bridges or wallets on Chain 2. Appropriate amount of Catcoins in a given target wallet. On Chain 2, depending on the precise design and business model of the bridge, user-initiated synthetic tokens are either burned or held in custody.

Keep in mind that each step of the process is actually broken down into a linear sequence of smaller tasks, with even the initial transfer performed in steps. The network must first check if the user actually has enough catcoins, subtract them from their wallet, then add the appropriate amount to the smart contract. These steps make up the overall logic that handles the value being transferred between chains.

In the case of both Wormhole and Qubit Bridge, attackers were able to exploit loopholes in smart contract logic to feed counterfeit data to the bridge. The idea was to get synthetic tokens on Chain 2 without actually depositing anything on the bridge on Chain 1. And in truth, both come down to the hack that occurs in most attacks on DeFi services: exploiting or manipulating the logic powering a specific process for financials. edge. A cross-chain bridge connects two layer-1 networks, but things go the same way between layer-2 protocols.

As an example, when you stake a non-native token on a yield farm, the process involves an interaction between two smart contracts – the tokens that power the farm. If there is a logical flaw in an underlying sequence that a hacker can exploit, so will the criminal, and so did GrimFinance in December of nearly $30 million. So, if we are prepared to bid farewell to cross-chain bridges due to many flawed implementations, we might as well choose smart contracts, bringing crypto back to its stone age.

related: DeFi attacks are on the rise – will the industry be able to stem the tide?

A steep learning curve to master

There’s a bigger point to be made here: don’t blame a concept for a faulty implementation. Hackers always follow money, and the more people use cross-chain bridges, the greater their incentive to attack such protocols. The same logic applies to anything that holds value and is connected to the Internet. Banks get hacked too, and yet, we are in no hurry to shut them all down because they are a vital part of the larger economy. In a decentralized space, cross-chain bridges also play a major role, so it makes sense to restrain our anger.

Blockchain is still a relatively new technology, and the community around it, as vast and bright as it is, is only figuring out best security practices. This is even more true for cross-chain bridges, which serve to link protocols to various underlying rules. Right now, they are a nascent solution that opens the door for moving value and data across networks to form something larger than the sum of its components. There is a learning curve, and it is well worth mastering.

While Buterin’s argument, for its part, goes beyond implementation, it is still not without caveats. Yes, a malicious actor in control of the hash rate of a small blockchain or 51% of the staked tokens could attempt to steal Ether (ETH) locked on the bridge at the other end. Attack volume will hardly exceed the market capitalization of the blockchain, as this is the maximum hypothetical limit on how much an attacker can deposit into the bridge. Shorter chains have smaller market caps, so the damage to Ethereum would be minimal, and the return on investment would be questionable for the attacker.

While most of today’s cross-chain bridges are not without their flaws, it is too early to dismiss their underlying concept. In addition to regular tokens, such bridges can also transfer other assets, ranging from non-fungible tokens to zero-knowledge proofs of identity, making them highly valuable to the entire blockchain ecosystem. A technology that adds value to every project by bringing it to a wider audience, shouldn’t be viewed in a purely zero-sum context, and its promise of connectivity is a risk worth taking.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should do their own research when making a decision.

The views, opinions and opinions expressed here are those of the author alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

lior lamesh He is the co-founder and CEO of GK8, a blockchain cybersecurity company that provides a custodial solution for financial institutions. After reporting his cyber skills directly to the Prime Minister’s Office in Israel’s elite cyber team, Lior led the company from inception to a successful acquisition in November 2021 for $115 million. In 2022, Forbes hired Lior and his business partner Shehar Shamai. 30 under 30 list.