Blockchains Have a ‘Bridge’ Problem, and Hackers Know It

This week, the cryptocurrency network Ronin disclosed a breach in which attackers made off with $540 million worth of Ethereum and USDC stablecoin. The incident, which is one of the biggest heists in the history of cryptocurrency, specifically siphoned funds from a service known as the Ronin Bridge. Successful attacks on “blockchain bridges” have become increasingly common over the past couple of years, and the situation with Ronin is a prominent reminder of the urgency of the problem. 

Blockchain bridges, also known as network bridges, are applications that allow people to move digital assets from one blockchain to another. Cryptocurrencies are typically siloed and can’t interoperate—you can’t do a transaction on the Bitcoin blockchain using Dogecoins—so “bridges” have become a crucial mechanism, almost a missing link, in the cryptocurrency economy. 

Bridge services “wrap” cryptocurrency to convert one type of coin into another. So if you go to a bridge to use another currency, like Bitcoin (BTC), the bridge will spit out wrapped bitcoins (WBTC). It’s like a gift card or a check that represents stored value in a flexible alternative format. Bridges need a reserve of cryptocurrency coins to underwrite all those wrapped coins, and that trove is a major target for hackers.

“Any capital on-chain is subject to attack 24/7/365, so bridges will always be a popular target,” says James Prestwich, who studies and develops cross-chain communication protocols. “Bridges will continue to grow because people will always want the opportunity to join new ecosystems. Over time, we’ll professionalize, develop best practices, and there will be more people capable of building and analyzing bridge code. Bridges are new enough that there are very few experts.”

In addition to the Ronin heist, attackers stole about $80 million worth of cryptocurrency from Qubit Bridge at the end of January, roughly $320 million worth from Wormhole Bridge at the beginning of February, and $4.2 million worth days later from Meter.io Bridge. Memorably, the Poly Network bridge had about $611 million worth of cryptocurrency stolen last August, before the attacker gave the funds back a few days later. In all of these attacks, hackers exploited software vulnerabilities to drain funds, but the Ronin Bridge attack had a different weak point.

Ronin was created by the Vietnamese company Sky Mavis, which develops the popular NFT-based video game Axie Infinity. In the case of this bridge hack, it seems attackers used social engineering to trick their way into accessing the private encryption keys used to verify transactions on the network. And the way these keys were set up to validate transactions was not maximally rigorous, allowing attackers to approve their malicious withdrawals.

“As we’ve witnessed, Ronin is not immune to exploitation, and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” the company wrote in its initial statement about the incident on Tuesday. 

Ronin discovered the breach that day, but the platform’s “validator nodes” had been compromised on March 23. Attackers stole 173,600 Ethereum and 25.5 million USDC. Ronin Bridge has been down ever since, and users can’t carry out transactions on the platform.