The second-largest decentralised finance (DeFi) hack occurred this week in an attack that swiped $320 million (€279 million), or 120,000 Ether, highlighting the growing trend of attacks on cryptocurrency platforms and concerns over security.
Wormhole, one of the most popular bridges which links the Ethereum and Solana blockchains, was hacked on Wednesday.
Solana felt the full effect of the heist and shed about 10 per cent off its price.
It is not the first time such a heist has happened. Just last week, hackers made off with $80 million (€70 million) from DeFi protocol Qubit Finance.
The biggest hack took place last August when $600 million (€525 million) worth of tokens was stolen from the Poly Network platform.But in a strange twist, the attacker then returned nearly all of the money as their aim was to expose the flaws in the system.
Such hacks are posing questions around the security of DeFi, an emerging financial technology that has programmable pieces of code known as smart contracts that can replace middlemen like banks and lawyers in transactions.
What is a bridge?
A bridge is a protocol that allows users to “bridge” or move assets such as cryptocurrencies, tokens and NFTs across different blockchains. It works by locking a transaction.
Crypto holders do not usually operate within just one blockchain ecosystem and so developers have created bridges to fill this void.
Wormhole has more than $1 billion (€875 billion) in total value locked and supports six blockchains: Terra, Solana, Ethereum, Binance Smart Chain, Avalanche and Polygon.
How did the hack happen?
A bridge hack is when a vulnerability is identified and exploited within the bridge contract connecting the two different blockchains, said Nicholas Percoco, chief security officer at Kraken, a United States-based cryptocurrency exchange and bank.
“In this instance, the Wormhole bridge, which permits transactions between Solana and Ethereum, was targeted. An attacker was able to mint new tokens on the Solana side of the bridge and drain the balance from Ethereum side of the bridge contract, equating to over $320 million,” he told Euronews Next.
According to Dr Merav Ozair, a blockchain expert and a FinTech Professor at Rutgers Business School in New Jersey in the United States, the hack happened on the “bridge,” which is Layer 2, not Layer 1 and was therefore not the cryptocurrencies that were themselves hacked.
Layer 1 is the term that’s used to describe the underlying main blockchain architecture (ie, a blockchain, such as Ethereum or Solana, Avalanche or Algorand). She said layer 1 is almost impossible to hack.
But Ozair explained that Layer 2, the overlaying network that lies on top of the underlying blockchain (such as the Wormhole bridge), is less secure and therefore more vulnerable to code bug exploitations.
“Ethereum and Solana have not been ‘hacked,’ the bridge has been. The analogous is that – if you have a bridge between 2 cities, the ‘attack’ occurred on the bridge between the cities, but each city has not been ‘attacked’ or damaged,” she told Euronews Next.
“Therefore, the solution should be in creating more secure blockchain bridges, shielding any potential ‘attacks’”.
Does blockchain need to become more secure?
Blockchain is a software that like others may be susceptible to erroneous code, known as bugs, which can be exploited, as we saw with Wormhole.
“High profile attacks, such as this one, reinforce the importance of the broader crypto ecosystem prioritising a security-first mindset and remaining vigilant,” said Percoco.
“Criminals constantly search for new attack vectors and vulnerabilities, which means that security protocols need to be consistently invested in and updated. We anticipate the spotlight on this event will focus the minds of cyber security teams across the blockchain ecosystem and will result in more robust protocols moving forward,” he said.
Due to the risks, Ozair said she has been advocating that there should be a mechanism that audits any applications before they are fully launched. This mechanism already exists in centralised systems such as in Apple’s apps.
“The blockchain ecosystem, if it wishes to scale and become mainstream, must fathom how an audit mechanism can be implemented in decentralised applications or platforms,” she said.
“This can be done and requires much thought and collaboration of the members in this ecosystem”.