NEW YORK (BLOOMBERG) – The hack of a so-called bridge supporting Axie Infinity’s play-to-earn game revealed last week highlights the increasingly problematic nature of the arcane software used within the burgeoning world of cryptocurrencies, blockchains and the metaverse.
Weaknesses in bridges, which allow tokens designed for one blockchain to be used on another, have led to more than US$1 billion (S$1.36 billion) in stolen cryptocurrency in a little more than a year across seven different incidents, according to data compiled by researcher Chainalysis.
In the case of the Ronin Bridge, which was recently hacked, the software was adopted to help Axie Infinity’s network accelerate transactions and reduce costs since the underlying Ethereum blockchain was not able to handle the surging demand from gamers quickly or cheaply. “Bridges, in my opinion, are the single largest potential point of failure in crypto right now,” said Mr Sam Peurifoy, head of interactive at Hivemind Capital, who also leads the play-to-earn guild Kapital DAO in Axie Infinity.
More than US$21 billion is locked on Ethereum bridges, data from Dune Analytics shows. In February, hackers stole around US$300 million from Wormhole, a bridge connecting Ethereum to the Solana blockchain. That same month, the Meter Passport bridge got hacked for several million dollars of crypto. In January, Qubit Finance, a project that enables cross-chain function was hacked. In addition to hacks, bridges have proven to be vulnerable to other unique problems.
Last year, the Optics bridge on the Celo network ended up being inoperable after its bridge development team effectively lost control of the project.
It is often hard to figure out who created a particular bridge or who operates it.
Developers can be anonymous, and the names of the validators – a handful of computers that secure the bridge’s transactions – may be purposefully kept secret. Many are run by organisations with little security staff – it can take days for an issue to even be discovered. At Ronin, the roughly US$600 million theft happened on March 23 but was only discovered on March 29. Bridges are becoming increasingly vulnerable as the value of tokens going through them increases. Some 13 years ago, there was only the Bitcoin blockchain.
Now, there are thousands of blockchains, each with their own advantages – such as lower transaction fees – and with their own army of applications, ranging from non-fungible marketplaces to decentralised crypto exchanges.
Investors have to increasingly jump from one chain to another to earn yields or to buy art: Someone who has Ether token may wish to go onto Solana to purchase non-fungible tokens (NFTs) or to Polygon to play games, for example.
“I know it sounds like the cross bridges are a bit of a train wreck, but I don’t think it’s as bad as that,” Mr Peter Robinson, a bridge expert at blockchain infrastructure builder ConsenSys, said in an interview before the Ronin hack.
Axie Infinity’s Ronin was built to handle more demand from Axie gamers who are looking for ways to avoid Ethereum’s expensive transaction fees.
“Bridges are an incredibly critical piece of infrastructure at this point,” Mr Kanav Kariya, president of Jump Crypto, said in an interview after the Wormhole hack. “We are strongly moving towards a multi-chain world.”
Back in February, Jump Crypto ended up providing more than US$300 million of Ether so Wormhole’s users would not lose funds. A loss of a bridge can reverberate throughout a small blockchain’s ecosystem of apps, all of which may end up with massive losses.
“We’ve invested billions of dollars into the crypto ecosystem,” Mr Kariya said. “Given the possible ripple effects of such a critical piece of infrastructure having a loss, we thought it was critical to step in in the early stages.”
Ronin’s situation is a bit different. Axie Infinity, created by the Sky Mavis gaming studio, is the chain’s main app, and Sky Mavis also built the Ronin Bridge. The firm said it will reimburse users, though exactly how remains unclear.
Ethereum co-founder Vitalik Buterin warned in January that bridges have “fundamental security limits”. Mr Buterin advocates holding native assets on each blockchain they were designed for to keep them safe. But that may not be affordable for many.
One key underlying problem is that most bridges do not have insurance, and do not guarantee a reimbursement of funds if they are lost. “We don’t provide implicit guarantees,” Mr Yat Siu, co-founder of Animoca Brands and an investor in Sky Mavis, said in an interview before the Ronin hack.
“We think of it as more of a warranty service. If a product ended up being faulty, if you have a faulty car, we’ll give you back your money.”
Join ST’s Telegram channel and get the latest breaking news delivered to you.
content: ” “;
font-family: “SelaneWebSTForty”, Georgia, “Times New Roman”, Times, serif;