🔥 Burning Bridges 🔥 (Notes on the Wormhole Hack)
The top headline in this week’s crypto news is the massive hack of the Wormhole bridge which connects the Solana network to Ethereum. Hackers stole $320 million in Ethereum, exploiting the very nature of cross-chain bridges to run away with their prize. It’s a wake up call to the inherent security risks posed by bridges. As crypto-influencer Crypto_is_good told me, “The future is clearly not bridges and we need to stop pretending it is.” Luckily, the Internet Computer offers a better, safer way to cross the chasm between two chains.
How Do Bridges Work?
Crypto blockchains are inherently monolithic, adding new blocks to an ever growing tower of data. Since the trust comes from within, interacting with other blockchains is not typically a priority. However, if you have cryptocurrency on one chain, and want to move onto another, one solution is a “bridge.” In reality, the metaphor of a bridge isn’t terribly apt. When you drive a car over a bridge, your car arrives on the other side — your same car, just in a new location. That’s not how crypto bridges work at all.
Instead, these bridges function more like an exchange. Your crypto goes in one side, and is held on the bridge in a liquidity pool. Since you can’t just move Ethereum tokens onto Solana, for example, you instead trade them for a “wrapped” version of the currency, which represents the original funds being held on the bridge, but is compatible with the native token on the receiving chain. It’s similar to how you can’t just spend dollars in Europe; they first have to be traded for a currency that is compatible with the underlying financial system.
You can use your wrapped currency for whatever transactions, trades, or other activities you want on the new blockchain, then return to the bridge and swap your remaining wrapped currency for the original before making the return journey home. So, metaphorically speaking, it’s not your car waiting on the far side of the bridge, but rather a loaner that kinda-sorta represents your car. Yours is parked on the bridge in the liquidity pool along with all the other cars that were swapped. If you’re thinking, “Boy, we sure are trusting these bridges to do a LOT and maintain a large pool of cash,” you are now thinking like the hackers who infiltrated Wormhole. There are many online resources that can offer deeper, more technical explanations of how cross-chain bridge work — or are at least supposed to work. It’s less of a bridge and more of a “Park N Go” with currencies being exchanged each way. We may have used up all the gas this car and bridge metaphor has to offer — let’s get back to crypto.
So What Happened at Wormhole?
The exact details of the hack, laid out by @kelvinfichter on Twitter, get deep into the technical weeds of how smart contracts work on Solana, but the simplified summary is they found a way to fake some of the mandatory signatures that ensure everything is in order, mint out wrapped Ethereum on the Solana side of the bridge without inputting anything on the corresponding side, and then transfer it back to Ethereum to make the getaway. Where the system should have checked to make sure each transaction was balanced with the exact right amount of currency on the other side of the exchange, it instead took the fake signature’s word for it, and allowed the hackers to drain the bridge’s cash reserves. And poof! $320 million drove right off the bridge, never to be seen again.
Burn All the Bridges
So, if bridges have “fundamental security limits,” as detailed by Vitalik Buterin on Reddit, what would be a better way to enable cross-chain functionality?
The Internet Computer’s Chain Key technology offers one alternative. While bridges create relationships between two chains by placing themselves as a cash-holding intermediary, the ICP technology stack requires no such transaction. Instead, ICP can talk directly to another blockchain. As DFINITY Founder Dominic Williams pointed out on Twitter, you can’t hack a bridge that doesn’t exist. New features in Chain Key’s implementation — executed via the Network Nervous System — allow ICP to interact with Bitcoin directly, essentially extending the Internet Computer’s smart contract technology to Bitcoin. Bitcoin holders maintain their own keys to their coins, and never have to trust a third party as they do when using a bridge. It’s direct chain-to-chain interaction, instantly opening up the world of Internet Computer functionality to Bitcoin’s utility as digital gold. Like peanut butter and jelly, caviar and vodka, or dosa and lentils, these are two great tastes that are meant to go together. And it’s all accomplished without introducing a security-flawed middleman like a bridge. Chain-to-chain interactions, underwritten by ICP’s security, creates a chain-agnostic resource — one that plays well with others while adding functionality the other lacks.
As this is being written, integration with Bitcoin has just been released in a developer preview. And more is coming soon: Ethereum integration is coming next to ICP’s new cross-chain functionality checklist. This makes ICP the glue holding a new multi-chain world together — opening up Bitcoin’s treasures to the Internet Computer’s speed, no-gas-fee system, and unlimited scalability.
It is still early days in many ways with crypto, and its power and cash-like permanence will continue to make it a target for hackers and grifters alike. Security, and the ability to build trust, are fundamental to any blockchain that wants to break through to the mainstream, attracting nontechnical users to real applications that will make their lives more productive, more profitable, and more secure. The Internet Computer continues to pave the way for a bright Web3 future, burning bridges to light the way.