“ London bridge is falling down, falling down, falling down, London bridge is falling down my fair lady ”.
Like the London bridge the news regarding some of web3’s broken bridges were quite devastating and worrying. One may wonder if these hacks would stop or become more severe. On the contrary building a bridge that is beyond hacks is not an impossibility it only requires an architect to think in terms of resilience and robustness of his bridge architecture.
Let’s dive in, what could lead or result into this massive bridge collapse. Cross chain bridges are a crucial component of the web3 cyberspace, interconnecting different sovereign blockchain protocols and their respective consensus mechanisms together. It’s web3’s cross messaging layer without it there is nothing like sending message in form of text or transaction from one chain to the other.
so how were they hacked?
Euler lending protocol (my favorite), BSC, Wormhole these protocols experienced FAKE EVENTs. With fake events an attacker a bad actor is able to generate a fake deposit or deposit a valueless token into a liquidity pool and claim large amounts this is also known as magic money.
Validators like Gatekeeper’s, & watchmen are the watchmen of the web3 cyberspace listening out for transactions and authenticating them by telling the network that they have witnessed a transaction and it is true.
In the case Ronin’s hack bad actors were able to take over the validator network in order words their validation keys stolen and since they are interconnected having access to one validator enables you access to the others. This category of attack occurs mainly when bad actors have been able to identify an access control bugs in your library or in your program logic.
Imagine you received an email from a sender whose email address closely resembles one of the mail addresses in your contact list with the sender requesting you to carry out some instruction. This deceptive technique is further explored to identify **message verification bugs **existing both in your contract library and within the program logic of your smart contract. The Poly hack event occurred due to message verification bugs occurring within the program logic of the smart contract, therefore bad actors could fake up transactions which are not properly verified or by-passing the verification process and submitting a transaction that will enable him/her withdraw tokens to different accounts.
Validator takeover is another bridge hacking technique. This method of attacking bridges is a simultaneous event such that once an access bug has been discovered within your program then validator take over is bound to happen since bad actors now have access to private keys of validators.
In my second episode
watch-out for how to re-engineer cross chain bridges from a security point of view.