this week, cryptocurrency network Ronin disclosed a breach in which attackers made off with $540 million worth of Ethereum and USDC stablecoins. The incident, which is one of the biggest heists in cryptocurrency history, specifically siphoned funds from a service known as Ronin Bridge. Successful attacks against “blockchain bridges” have become increasingly common over the past few years, and the Ronin situation is a stark reminder of the urgency of the problem.
Blockchain bridges, also known as network bridges, are applications that allow people to move digital assets from one blockchain to another. Cryptocurrencies are generally isolated and noninteroperable—you can’t transact on the Bitcoin blockchain using Dogecoin—so “bridges” have become a crucial mechanism, almost a missing link, in the cryptocurrency economy.
Bridging services “wrap” cryptocurrency to convert one type of coin to another. So if you go to a bridge to use another currency, like bitcoin (BTC), the bridge will spit out wrapped bitcoins (WBTC). It’s like a gift card or check that represents stored value in a flexible alternative format. Bridges need a reserve of cryptocurrency coins to guarantee all these packaged coins, and this wealth is a prime target for hackers.
“Every asset on the chain is under attack 24/7/365, so bridges will always be a popular target,” says James Prestwich, who studies and develops cross-chain communication protocols. “Bridges will continue to grow because people will always want the ability to join new ecosystems. Over time we will professionalize, develop best practices, and have more people capable of building and analyzing bridge code. The bridges are new enough that there are very few experts.
In addition to the Ronin heist, the attackers stole about $80 million worth of cryptocurrency from the Qubit Bridge in late January, an estimated $320 million worth from the Wormhole Bridge in early February, and $4.2 million days later from the Meter Bridge .io. Memorably, Poly Network’s bridge had around $611 million worth of cryptocurrency stolen last August, before the attacker returned the funds a few days later. In all of these attacks, hackers used software vulnerabilities to siphon off funds, but the Ronin Bridge attack had another weak point.
Ronin was created by Vietnamese company Sky Mavis, which developed the popular NFT-based video game Axie Infinity. In the case of this bridge hack, it appears that the attackers used social engineering to fraudulently gain access to the private encryption keys used to verify transactions on the network. And the way these keys were set up to validate transactions wasn’t as strict as possible, allowing attackers to approve their malicious withdrawals.
