Is there a secure future for cross-chain bridges?

The plane landed and stopped. On the way to passport control, a passenger stopped in front of a vending machine to buy a soda – but the device was completely indifferent to all their credit cards, cash, coins and everything else. As far as machines are concerned, all of these are part of foreign economies, so they can’t even buy a drop of Coke.

In the real world, a machine would be happy with a Mastercard or Visa. The cash exchange offices at the airport will also be happy to come to the rescue (with a high markup, of course). However, in the blockchain world, the above has caught the attention of some commentators whenever we exchange travel abroad to transfer assets from one chain to another.

While blockchains as decentralized ledgers are very good at tracking value transfers, each layer 1 network is an entity in itself, unaware of any non-intrinsic events. Since such chains are separate entities by extension, they are not inherently interoperable. This means that you cannot spend your bitcoins (bitcoin) to access decentralized finance (DeFi) protocols from the Ethereum ecosystem, unless the two blockchains can communicate.

Powering this communication is what’s known as a bridge — a protocol that enables users to transfer their tokens from one network to another. Bridges can be centralized—that is, run by a single entity, such as the Binance Bridge—or built to varying degrees of decentralization. Either way, their core mission is to enable users to move their assets between different chains, which means more utility, and thus value.

As convenient as the concept sounds, it’s not the most popular concept in the community right now. On the one hand, Vitalik Buterin Recently skeptical about the concept, warns that cross-chain bridges can enable cross-chain 51% attacks.On the other hand, exploiting its smart contract code vulnerabilities to conduct spoof-based network attacks on cross-chain bridges, such as Wormhole and qubit, prompting critics to ponder whether cross-chain bridges can be a purely technical security liability. So, is it time to abandon the idea of ​​a blockchain internet connected by bridges? unnecessary.

related: Like railroads, cryptocurrencies are one of the world’s top innovations of the millennium

When contracts get too smart

While the details depend on the specific project, a cross-chain bridge connecting two smart contract-enabled chains typically works this way. Users send their tokens on chain 1 (we call them Catcoins, cats are cool too) to the bridge’s wallet or to a smart contract there. This smart contract must pass data to the smart contract of the bridge on Chain 2, but with no direct access to it, a third-party entity—whether a centralized or (to some extent) decentralized intermediary—must deliver the message. Chain 2’s contract then mints the synthetic token into a user-provided wallet. Here we go – the user now owns the wrapped catcoin on chain 2. It’s a lot like exchanging fiat currency for chips at a casino.

In order to get their Catcoins back on Chain 1, users first have to send the synthetic tokens to a contract or wallet on the bridge on Chain 2. A similar process then plays out as the intermediary pings the bridge’s contract on chain 1 to release the appropriate amount of Catcoins to the given target wallet. On Chain 2, depending on the exact design and business model of the bridge, synthetic tokens handed in by users are either burned or held in custody.

Remember that each step of the process is actually broken down into a series of smaller operations, even the initial transfer is done in steps. The network must first check that users actually have enough catcoins, subtract them from their wallets, and then add the appropriate amount to the smart contract. These steps form the overall logic for handling values ​​that move between chains.

In the case of Wormhole and Qubit bridges, attackers are able to exploit flaws in smart contract logic to provide bridges with spoofed data. The idea is to get synthetic tokens on chain 2 without actually depositing anything on the bridge on chain 1. To be honest, both hacks boil down to what happens in most attacks on DeFi services: exploiting or manipulating the logic that powers specific financial processes. A cross-chain bridge connects two layer 1 networks, but also functions in a similar way between layer 2 protocols.

For example, when you put a non-native token into a yield farm, the process involves an interaction between two smart contracts​​​—the contract that powers the token and the farm. Criminals do if any underlying sequence has a logical flaw that hackers can exploit, which is why GrimFinance lost about $30 million in December. So if we’re ready to say goodbye to cross-chain bridges due to several flawed implementations, we might as well silo smart contracts and bring cryptocurrencies back to their stone age.

related: DeFi attacks are on the rise – can the industry stem the trend?

Mastering a steep learning curve

Here’s a more important point: don’t blame a concept for a flawed implementation. Hackers always follow the money, and the more people use cross-chain bridges, the more motivated they are to attack such protocols. The same logic applies to anything that has value and is connected to the internet. Banks have also been hacked, but we are in no rush to close all of them because they are a vital part of the larger economy. In the decentralized space, cross-chain bridges also play an important role, so it makes sense to curb our anger.

Blockchain is still a relatively new technology, and the community around it, while large and bright, is just figuring out best security practices. This is especially true for cross-chain bridges, which can connect protocols with different underlying rules. Currently, they are a nascent solution, opening the door to moving value and data across networks that make up something greater than the sum of its components. There’s a learning curve and it’s worth mastering.

While Buterin’s argument, by itself, falls outside the scope of implementation, it’s still not without caveats. Yes, malicious actors controlling 51% of the hashrate of small blockchains or collateralizing tokens could try to steal ether (Ethereum) to the bridge at the other end. The number of attacks will hardly exceed the market capitalization of the blockchain, as this is the maximum assumed limit an attacker can deposit into the bridge. Smaller chains have smaller market caps, so the damage to Ethereum will be minimal, and the attacker’s return on investment will be questionable.

While most cross-chain bridges today are not without flaws, it is too early to abandon their basic concept. In addition to regular tokens, such bridges can also transfer other assets, from non-fungible tokens to zero-knowledge proofs of identification, making them of enormous value to the entire blockchain ecosystem. A technology that adds value to every project by bringing it to a larger audience should not be seen as a pure zero-sum term, its promise of connectivity is worth the risk.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should do their own research when making a decision.

The views, thoughts and opinions expressed here are solely those of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Lille Ramesh is the co-founder and CEO of GK8, a blockchain cybersecurity company that provides custody solutions to financial institutions. After honing his cyber skills with an elite Israeli cyber team reporting directly to the Prime Minister’s Office, Lior led the company from its inception to a successful $115 million acquisition in November 2021. In 2022, Forbes named Lior and his business partner Shahar Shamai 30 under 30.