Sign up now for FREE unlimited access to Reuters.com Register Aug 9 (Reuters) – Another day, another hack – and another blockchain bridge burned. When thieves stole about $190 million from US crypto firm Nomad last week, it was the seventh hack of 2022 that targeted an increasingly important cog in the crypto engine: Blockchain “bridges” – strings of code that help move cryptocurrencies between different applications. read more So far this year, hackers have stolen about $1.2 billion worth of crypto from bridges, according to data from London-based blockchain analytics firm Elliptic, already more than double last year’s total. Sign up now for FREE unlimited access to Reuters.com Register “This is a war where the cybersecurity company or project cannot be victorious,” said Ronghui Hu, a computer science professor at Columbia University in New York and co-founder of cybersecurity firm CertiK. “We have to protect so many projects. For them (hackers) when they look at a project and there are no bugs, they can just move on to the next one until they find a weak spot.” Currently, most digital tokens operate on their own unique blockchain, essentially a public digital ledger that records crypto transactions. This runs the risk of projects using these coins becoming siloed, reducing their prospects for widespread use. Blockchain bridges aim to break down these walls. Supporters say they will play a fundamental role in “Web3” – the much-hyped vision of a digital future where cryptocurrencies are involved in online life and commerce. However, bridges can be the weakest link. The Nomad hack was the eighth largest crypto theft on record. Other bridge thefts this year include a $615 million heist on Ronin, used in a popular online game, and a $320 million heist on Wormhole, used in so-called decentralized finance applications. read more “Blockchain bridges are the most fertile ground for new vulnerabilities,” said Steve Bassi, co-founder and CEO of malware detector PolySwarm. Reuters Graphics

ACHILLES THE WHOLE

Nomad and other companies building blockchain bridge software have attracted support. Just five days before it was hacked, San Francisco-based Nomad said it had raised $22.4 million from investors, including major exchange Coinbase Global ( COIN.O ). Nomad CEO and co-founder Pranay Mohan called its security model the “gold standard.” Nomad did not respond to requests for comment. It said it is working with law enforcement agencies and a blockchain analytics company to track the stolen funds. Late last week, it announced a bonus of up to 10% for returning bridge-hacked funds. It said on Saturday that it had recovered more than $32 million in hacked funds so far. “The most important thing in crypto is the community, and our number one goal is to restore bridged user capital,” Mohan said. “We will treat any party that returns 90% or more of exploited funds as white hats. We will not prosecute white hats,” he said, referring to so-called ethical hackers. Several cybersecurity and blockchain experts told Reuters that the complexity of bridges meant they could represent an Achilles’ heel for projects and applications that used them. “One reason hackers have targeted these cross-chain bridges lately is because of the enormous technical complexity involved in creating these kinds of services,” said Ganesh Swami, CEO of Vancouver-based blockchain data firm Covalent, which had stored cryptocurrencies at Nomad’s. bridge when breached. For example, some bridges create versions of cryptocurrencies that make them compatible with different blockchains, keeping the original coins in reserve. Others rely on smart contracts, complex agreements that execute agreements automatically. The code involved in all of this can contain bugs or other flaws, potentially leaving the door ajar for hackers.

ERROR FREE

So, how best to deal with the problem? Some experts say smart contract audits could help protect against cyber theft, as well as “bug bounty” programs that incentivize open-source revisions of smart contract code. Others are calling for less centralization of bridge control by individual companies, which they say could boost code resilience and transparency. “Cross-chain bridges are an attractive target for hackers because they often leverage a centralized infrastructure, most of which lock down assets,” said Victor Young, founder and chief architect at US blockchain firm Analog. Sign up now for FREE unlimited access to Reuters.com Register Reporting by Tom Wilson in London and Medha Singh in Bengaluru. Edited by Pravin Char Our Standards: The Thomson Reuters Trust Principles.