Will cross-chain apps ever be safe? Bridge hacks don’t appear to be going away.
Another just happened today, as the QANplatform, a Layer-1 blockchain, was hacked for around $1 million. Last week, a bridge used by Binance, the largest crypto exchange, fell victim to a $100 million hack. And the list goes on and on, and each adds up: About $2 trillion in cryptocurrency has been stolen this year due to cross-chain bridge hacks, according to the blockchain data firm Chainalysis.
Even still, investor Mark Cuban thinks a cross-chain future is “possible” and “viable,” but acknowledges it’s “risky,” he tells Fortune. “I really try to limit my use of bridges.”
Most of those within the space agree, noting that the technology must evolve to be more secure.
Bridges are very important because, at least as of now, blockchains can’t communicate with each other. An application on Ethereum can’t communicate with another application on, say, Solana, which can be obviously limiting for those within the crypto space. However, bridges—serving as a “storage point” between chains—are often targeted by hackers, and each bridge is only as strong as the code behind it.
“Current popular cross-chain bridges that are secured by a multisig (‘proof-of-authority’) in its current form have a very large attack surface, which makes it very difficult to be secured,” Edmund Kua, head of research at blockchain analytics firm Nansen, tells Fortune. A multisig requires multiple keys to move funds from a wallet, and proof-of-authority is an identity-based consensus mechanism that allows pre-approved validators to use software that automates the process of verifying transactions.
But bridges are “still an important part of the infralayer for any ecosystem, especially when it comes to interoperability, so [they] will definitely be viable even going forward,” Kua said. “The only difference is the innovation in their designs.”
A few projects have begun addressing current design flaws. One includes a sort of “cluster” solution for chains where “you can bridge more natively, which drastically reduces attack vectors,” Niklas Polk, a research analyst at Nansen, tells Fortunenoting the Cosmos ecosystemwhich is known for its Inter-Blockchain Communication (IBC) protocol, and Layer-3 solutions atop ZK (zero-knowledge) technology.
“But for bridging between those clusters, we might need the current design for the foreseeable future,” Polk said.
Others, like Sergey Nazarov, cofounder of smart contract oracle network Chainlink, unsurprisingly point to their project’s solutions. Chainlink, for example, is working on its cross-chain interoperability protocol (CCIP), which provides a standard of communication between blockchains.
“As blockchain adoption increases in the coming years, oracles will be the key to solving the cross-chain puzzle,” Nazarov tells Fortune. “Security must come first with cross-chain applications—especially with DeFi’s growing value. But with the number of new use cases that cross-chain bridging and messaging can open up, I firmly believe the future of Web3 will be cross-chain.”
In the meantime, as the crypto realm awaits proposed solutions, bridge code evaluations should become standard, Erin Plante, vice president of investigations at Chainalysis, tells Fortune.
“While not foolproof, a valuable first step towards addressing security issues is for extremely rigorous code audits to become the gold standard, both for developers building protocols and investors evaluating them,” Plante said. “And over time, the strongest, safest smart contracts can serve as templates for developers to build from.”