Bridges connecting different blockchains have become a mainstay of the industry in the past three years, enabling assets to flow between ecosystems. This is a vital function for the future of finance as most blockchains currently cannot otherwise interact. 

However, bridges have also been a focus point for malicious actors, precisely because a lot of value is exchanged on them and they have huge amounts of total value locked (TVL). That makes them systemically important, meaning if they fail, the whole DeFi ecosystem is in peril. In the traditional finance world, systemically important institutions are regulated more heavily than others. We need to similarly raise the standards for blockchain bridges so that they cannot fail and if they do, the damage can be quickly contained.   

Ronin, Poly Network, Harmony Horizon, Wormhole and Nomad are all bridge protocols that were hacked in the past two years, affecting $1.8 billion in assets. 

A key reason why bridges are vulnerable is that they are massively complex engineering tasks. They require the coordination of different blockchains and programming languages, so they often end up being more complicated than the blockchains they are linking. This makes it easier for hackers to find design and implementation flaws. In software, the attack surface and amount of errors on a system is directly proportional to its complexity. The most secure program is the one you never write.

However, not all bridges are made equal and all have different security risks. 

Types of bridges

At Range, we see a spectrum of trust that can be used to classify different bridge designs, like our colleagues at DeFi liquidity middleware Li.fi. The key distinction is who is validating the system?

Trusted bridges entail trust in the humans that operate them, ie. in project leaders or governance delegates. They rely on external validators and federations to act as referees, which are different from the ones on the blockchains that connect them. Users therefore need to trust another set of validators, which are often less reliable than the ones of the underlying blockchains. 

This is the case of the Ronin Bridge, which connects the Ronin sidechain from Axie Infinity to Ethereum and was hacked for about $600 million in 2022. The Ronin Bridge is a 5 of 7 multisig bridge, which means that 5 signatures out of the 7 trusted delegates are required to approve deposits or withdrawals. Most of these keys were managed by Sky Mavis, the company behind Axie Infinity. During the hack, the attacker took possession of 5 of these keys and was able to withdraw funds at will.

Trust-minimized bridges remove the human element by solidifying trust into the code. In these bridges, also known as trustless, the user doesn’t need to trust any third party or system, beyond the blockchains they’re already using. In the case of the Cosmos Inter-Blockchain Communication Protocol, validators of the underlying blockchain and the bridge are the same. This avoids adding another trust requirement like in trusted bridges, where the user would need to trust a centralized multisig or an external validator set.

Most bridges are somewhere on this spectrum; the closer they are to the trustless end, the more robust is their security design. The community has made good progress to move towards trustlessness, but that is not the whole story. Trustless systems tend to be more complex, exactly because they try to do away with human intervention. That means that they are more prone to flaws and have a larger surface area for attacks. 

Even the most sound protocol designs are subject to implementation flaws. We need to internalize as an industry that there will always another software bug, and focus on building the tools to contain the blast radius of an exploit when it occurs.

To deal with that, we need real-time ongoing monitoring and safety mitigation procedures. More on that in our next post.