Bridging 101

Figure: Pepe Crossing Bridges to Explore Alternate Layer 1s / Layer 2s

Although ETH remains the dominant Layer 1 for most on-chain activity, alternate Layer 1s have demonstrated product-market fit throughout the bull market run of ‘20/’21. Solana (SOL 2.46% ) emerged as the ‘high-throughput chain’ focused on complex DeFi / gaming, BNB Chain (BNB) offers easy fiat on/off-ramps through Binance CEX, while Avalanche (AVAX) and Cosmos (ATOM -9.98% ) are building application-specific blockchains that focus on interoperability.

These smart contract networks have chosen different tradeoffs along the Decentralization-Scalability-Security blockchain trilemma, catering to the different use cases above. As such, if smart contract networks were to permeate most business and culture facets in the future, bridges between these networks constitute crucial infrastructure for an omnichain future.

Figure: Market Capitalization of Wrapped Versions of Bitcoin

But bridges in crypto are nothing new. In fact, the earliest semblance of bridging activity began when DeFi took off in 2019. At the time, BTC holders were faced with the choice between remaining on the Bitcoin Network, or turning their BTC into productive assets by bridging to the budding smart contract platform then, Ethereum. 281k (~$6.6b) BTC bridged out of the network into Ethereum later, it is clear in hindsight that there is a non-negligible demand for the latter.

Bridging Designs

At its essence, blockchain bridges pass messages (assets) from one network to another. While their respective designs vary, users generally interact with cross-chain bridges by sending assets to the bridge protocol on the source chain^[1]. The user is then issued either a native or wrapped version of the asset (of equivalent value) on the destination chain^[2]. Below, we dive deeper into the main models protocols utilize to facilitate liquidity between networks.

1. MPC^[3] Systems

Figure: Bridges Verified by External Validators or MPC Systems

Bridges that utilize this model rely on external validators to relay data between chains. These external validators are represented by an MPC system, oracle network, or threshold multi-sig. It requires multiple parties to monitor a “mailbox” address on the source chain for deposits and upon achieving consensus, mint an equivalent amount in a wrapped version of that asset on the destination chain.

Early renditions of this model rely on ‘custodians,’ and ‘merchants’ (instead of validators) to mint wrapped versions of the asset on the destination chain, including wBTC (wrapped Bitcoin).

Figure: Minting Process for wBTC

To disincentivize external validators from acting maliciously, modern bridges that deploy this model typically require validators to bond the bridge’s native asset (e.g., SYN, HOP). If validators collude to verify invalid transactions, their bonded stake will get slashed. However, bonding with bridges’ endogenous assets overstates the protocol’s security. This is because the bridge’s token will likely crash in value if multiple bonds get slashed, further reducing the security guarantees of the bridge.

As the old crypto adage goes: blockchain systems are only as secure as their weakest link. The security of the underlying chain is irrelevant when using an insecure bridge that relies on limited validators which can be corrupted. Although the MPC model allows for easy replication across chains that share the same virtual machine, users need to place significant trust in centralized actors that can collude to act maliciously.

2. Light Clients

Figure: Bridges Natively Verified by Light Clients

Natively verified bridges are designed to be verified by the chain’s inherent validator set, thereby inheriting the security of the underlying chain. This is achieved by running a light client^[4] in the virtual machines^[5] on both the source and destination chains.

Existing validators monitor events on the source chain and generate proofs which are then forwarded, along with block headers, to the light clients on the destination chain. As this method leverages existing validators of the chain, it represents the most ‘trustless’ form of bridging, allowing fully generalized message passing between the different chains on which the light clients are deployed. Bridges that choose this route port assets from one chain to another, but the underlying generalized message passing technology can also be used for other cross-chain apps such as NFT bridges and cross-chain lending protocols, unlocking composability.

Because natively verified bridges run light clients on each of the chains they support, integrations can be cumbersome as these chains possess consensus mechanisms that are distinct from each other. To illustrate, the Proof-of-Stake umbrella has at least eight recorded variations, each requiring a separate implementation strategy. Not to mention, the cryptographic proofs used for validation is gas-intensive.

3. Liquidity Pools

Figure: Bridges Using Liquidity Pools and are Locally Verified

Bridges that adopt the locally verified model leverage liquidity pools, akin to a peer-to-peer network of validators that hold inventories of assets on both the source and destination chains. This model is commonly referred to as ‘Atomic^[6] Swaps,’ where swaps can be conducted between two parties without a third party’s involvement.

This is achieved by Hash Timelock Contracts (HTLC), which introduces a time constraint such that transactions are reversed when either party does not fulfill their side of the trade within the specified time frame. Users deposit their desired tokens into the LP on the source chain, and withdraw an equivalent amount in native tokens from the LP on the destination chain.

The liquidity pool model is also near trustless – they inherit the security model of the underlying chain and can be replicated across other chains quite easily.

Figure: Summary of Bridging Models and Examples

It is important to note that while these models cover the majority of bridges today, they are not mutually exclusive. For example, Thorchain relies on liquidity pools and external validators to run its bridging protocol.

The Interoperability Trilemma

Figure: The Interoperability Trilemma

Upon examining the different bridging models today, it becomes apparent that bridges need to consider the Interoperability Trilemma, choosing between trustlessness, extensibility, and generalizability.

• Trustlessness refers to the ability of a user to interact with a bridging protocol without having to trust centralized authorities to verify transactions.

• Extensibility is the ability of a bridging protocol to support as many chains as possible.

• Generalizability is the bridge’s ability to handle arbitrary cross-chain data, such as generalized message passing.

Bridges as Vectors of Attack

As bridges often hold large amounts of TVL, they become attractive vectors of attack to hackers. This is evidenced by four out of the five largest exploits in crypto being that to bridges, constituting over $1.7b in value lost. Chainalysis estimates that $2b has been stolen from cross-chain bridges across 13 separate hacks in 2022. These attacks on cross-chain bridges constitute 69% of total funds stolen since the inception of DeFi. Below, we examine some of the largest bridge hacks and their causes.

Case Study 1: Nomad Bridge Hack

On Aug 1st 2022, Nomad Bridge was drained for $190m in an attack spanning two and a half hours. Apart from the unusually long duration, this hack was noteworthy as it had been instigated by an individual, but the exploit was replicated by hundreds of users.

After a routine upgrade in June, Nomad’s replica contract was initialized with a security flaw – the 0x00 address was set as a trusted root. While this is common practice, it also matches the value for an untrusted root, which meant that all messages were read as valid by default. The exploiters were able to call the process() function directly without first proving the transaction’s validity. Witnessing the initial vulnerability on-chain, other users simply had to copy pasta^[7] the same process() function call via Etherscan, replacing the initial attacker’s address with their own.

As a result of the exploit, Moonbeam, Evmos, and Milkomeda each saw their TVLs drained as Nomad was the canonical bridge for most of the assets on these networks. Ultimately, the exploit was due to a smart contract ‘bug’, which was highlighted in the audit but not acted upon by the team. As of writing, ~$35m out of the $190m has been recovered by the protocol by offering a 10% bounty and the opportunity for exploiters to become ‘white hat hackers^[8].’

Case Study 2: Wormhole Bridge Hack

Wormhole, Solana’s most popular cross-chain bridge, was exploited for $325m in ETH on February 2nd, 2022. The exploit was possible as validators (Wormhole calls them ‘guardians’) were manipulated into recognizing 120k ETH as deposited on Ethereum, allowing the exploiter to mint the equivalent amount in whETH (Wormhole ETH) on Solana.

The exploit allowed the hacker to bridge ~94k ETH back to Ethereum, with the remaining whETH being converted into USDC and SOL 2.46%  on the Solana network. After the attack, the Wormhole team offered the hacker a $10m bounty in exchange for the funds, but to no avail.

About a week later, Jump crypto, one of Wormhole’s largest backers, stepped in to replenish the exploited ETH, bailing out Wormhole and much of the Solana ecosystem (and liquidity pools) that relies on $wETH. They presumably did so as they recognized the value of maintaining Solana’s largest bridge and the smart contract network’s potential in decentralized trading.

Case Study 3: Ronin Bridge Hack

Rumored to be instigated by Lazarus Group, the Ronin bridge hack on March 23, 2022, constituted the largest decentralized finance (DeFi) attack in history. It saw ~$624m of crypto siphoned out of the bridge that powers the blockchain-based game Axie Infinity, dethroning Poly Network that saw $611m drained.

The noteworthy thing about this particular hack was that despite its occurrence, nobody noticed for almost a week. The Ronin bridge was relatively centralized – only nine validators operated the Proof of Authority consensus mechanism that favored speed over decentralization and trustlessness. Out of the nine, a consensus amongst five was necessary to approve transactions. Sky Mavis operated four out of nine validators themselves, which meant that only one more signature was needed in the event of a security breach.

Funnily enough, the hackers controlled four out of five signatures through a fictitious job posting offered to a senior engineer at Axie Infinity. The fake offer letter was delivered in the form of a PDF document, which contained spyware to infiltrate Ronin’s systems. The additional threshold signature was obtained through Axie DAO, which failed to revoke allowlist access after allowing Sky Mavis to sign transactions on its behalf during previous periods of high volume. Since the exploit, Sky Mavis raised a $150m round led by Binance to reimburse users.

Bottom Line

Evidently, bridging is a piece of infrastructure that is indispensable for the digital asset space. Although we have seen different approaches towards bridging (most popular being MPC systems), none have emerged as clear winners yet, even though there has been excitement around the composability of light clients. The only thing that is clear is that safety is paramount given the magnitude of exploits in this vertical.

^[1] Source chains are the blockchains from which assets are sent.

^[2] Destination chains are the blockchains to which assets are sent.

^[3] MPC stands for Multi-Party Computation, which involves multiple parties – each holding their own private data – to evaluate a computation without ever revealing any of the private data held by each party (or any otherwise related secret information).

^[4] A light client or light node is a piece of software that connects to full nodes to interact with the blockchain.

^[5] A virtual machine (VM) is a program that emulates a computer system. It has a virtual CPU, memory, and storage and appears, from the outside, to be no different than a physical machine with the same hardware.

^[6] Atomic is derived from ‘atomic state,’ where a state has no substates. The swap either happens or it doesn’t; there is no in-between.

^[7] Copy pasta is slang for copy and pasting.

^[8] A white hat hacker — or ethical hacker — is an individual who uses hacking skills to identify security vulnerabilities in hardware, software or networks. This is opposed to black hat hackers, who are criminals who break into computer networks with malicious intent.