According to a new report by crypto data aggregator Token Terminal, approximately 50% of exploits in decentralized finance, or DeFi, occur on cross-chain bridges. In two years' time, more than $2.5 billion have been stolen by hackers from exploiting vulnerabilities on cross-chain bridges. The amount is enormous comparison to other security breaches, such as DeFi lending hacks ($718 million) and decentralized exchange exploits ($362 million) in that period.
Bridge exploits account for ~50% of all DeFi exploits, totaling ~$2.5B in lost assets
— Token Terminal (@tokenterminal) October 18, 2022
These hacks can typically be attributed to smart contract loopholes (e.g. Wormhole & Nomad) or compromised private keys (e.g. Ronin & Harmony).
What will it take to create secure bridges? pic.twitter.com/LrVf0W0zeK
Cross-chain bridges, which allow users to port digital assets from one chain to another, are known for their ability to solve multi-chain scaling issues. However, their complexity to build and subsequently audit, combined with massive amounts of funds locked in their smart contracts, has attracted much attention from hackers.
Security experts, such as Immunefi's CEO Michael Amador, explain that some developers in the DeFi space are simply lacking the necessary knowledge to build such complex mechanisms:
"Many developers launch projects by simply copying and pasting code from other projects. When one of these projects has a vulnerability, others usually have that vulnerability as well. Open source smart contracts, being visible and accessible to all, can easily attract blackhats who study them, discover where they're vulnerable, and exploit them."
It also appears that the vast majority of the cross-change exploits happened thus far took place on Ethereum Virtual Machine (EVM) blockchains. This includes this year's most serious incidents such as the Axie Infinity Ronin bridge hack, the Wormhole token bridge hack, and the Nomad bridge hack.
Meanwhile, cross-chain bridges based on the Cosmos Interblockchain Communications protocol (IBC), which has surpassed $1 billion in total value locked, have largely avoided the spearhead of the attacks. Although, last week, Cosmos co-founder Ethan Buchman said that a major security vulnerability was discovered on IBC after security audits. The exploit has been patched, and no funds were lost as a result of the incident.