The recent “hack” of Multichain, a major crypto asset bridge, adds to a long list of bridge exploits and incidents that have by now shaken trust in these cross-chain solutions.
A token bridge is a protocol providing an economic connection between separate blockchains. It allows transferring of major assets like USDC, USDT, ETH from Ethereum, BNB Chain and other major hubs to smaller chains.
Bridges have varying architectures, but usually, it involves two sets of smart contracts: a vault on the origin chain holding the “real” assets, and an IOU token on the receiving end. Users deposit assets on the origin chain and receive the respective number of IOU tokens at the destination.
The IOU tokens have value because they can always be redeemed for the original assets stored in the vaults, so it’s clear that guaranteeing their security is paramount for smooth bridge operation. This has rarely been the case, with bridges alone accounting for over hack of the “total value hacked” in DeFi, according to DefiLlama.
According to Venket Naga, CEO at Serenity Shield, a cross-chain private data storage solution, “securing bridges in blockchain/crypto poses challenges due to interoperability and their open-source nature. He continued:
“These bridges act as connectors between blockchains and networks, creating many potential entry points for cyber attackers. Similarly, the decentralized nature of many of said blockchains can also complicate security, as multiple entities and protocols must cooperate seamlessly to ensure the integrity of any shared bridge.”
The latest loss at Multichain also highlights the significant centralization common to many bridge architectures, as it appears to have been executed by the sister of the project’s CEO, allegedly to “save” the assets.
How users can protect themselves against bridge exploits
Using bridged assets continues to present a significant risk for users as they might suffer a complete loss of their principal.
There are a few tricks that can help limit the potential damage from the exploits when they do happen. The first one is to simply stay on the lookout for anything suspicious.
For example, the Multichain loss was preceded by about a month-long period of uncertainty due to rumours of its CEO being arrested. The bridge was still operational and fully pegged, allowing abundantly cautious users to exit without losses.
Like with exchange uncertainty such as in the case of FTX, “panicking first or not at all,” was a valuable strategy that allowed millions to be saved by those who acted quickly enough.
Beyond that, as explained by Brandon Brown, Co-Founder and CEO of asset coverage protocol Fairside, token approvals play a big role. “To protect against bridge attacks and smart contract exploits, it is recommended to use a wallet with spending limits. Additionally, users should revoke smart contract access for third parties like Multichain after interaction to prevent loss due to future vulnerabilities.”
More comprehensive solutions to the bridge risk have yet to be found. As Brown explained, any comprehensive coverage solution will tend to shy away from bridges: “Bridges present complex challenges for cover providers due to centralization and the risks associated with smart contracts,” he said.
While Fairside provides individual coverage against attacks such as phishing, SIM swaps and other personal losses, generalized protocol losses happen far too often to be sustainably covered. But Brown believes that new, more sturdy solutions such as Axelar’s Interchain can help improve the security of interoperable solutions as a whole.
“These advancements and others like it pave the way for viable coverage options to become a reality in the near future,” he concluded.