In Bridges - The Daily Gwei #430
Wormhole to no where.
Less than 24 hours ago we saw one of the biggest hacks in crypto history take place with $325 million worth of ETH stolen from the Wormhole bridge. Now, I wrote about the risks of using bridges the other day here, but this theft was done via a good old smart contract exploit so most of the things I talked about in my piece do not apply here (but are still relevant generally).
The key difference between a bridge exploit and a regular smart contract exploit is that bridges have massive downstream effects for the rest of the bridged-to chain. For example, because the ETH that was bridged to Solana from Ethereum via Wormhole became worthless at the time of the exploit (since all the ETH backing it was drained from the bridge contract), the rest of the Solana DeFi ecosystem was impacted. I haven’t been able to find any analysis on what exactly happened and to which apps, but some things that could’ve happened would be errant liquidations on money markets, liquidity pools with ETH in them being drained, and users holding the ETH losing out completely.
It’s important to note here that this type of exploit can also happen to layer 2 bridges because they too are smart contracts and are suscepitble to bugs. It doesn’t matter that the layer 2 bridge is secured by Ethereum layer 1 - just like it doesn’t matter when a DeFi contract is exploited on Ethereum - the result is still the same in the event of a bug. It’s also worth noting that there are other bridge constructions that can be susceptible to smart contract bugs, economic exploits, DoS attacks and more - these are the ones that we need to be especially cautious of as they are difficult to reason about.
Lastly, as users of these bridges it’s critical that we all stay aware of the risks associated with them lest we become a victim of an exploit and lose funds. In Wormholes case, the ETH loss is being backstopped by some rich benefactors, but this will not be the case for most exploits. I’m afraid that a lot of money is going to be lost on these bridges over the coming years and really the only way to protect yourself completely is not to use them. But this is like saying that you shouldn’t use any smart contract - obviously there’s a risk spectrum and you need to just decide on what you feel comfortable with.
I don’t think this is the last bridge exploit/hack we will see and I don’t think it’s the largest one either. As we progress through the adoption of multiple chains (layer 1’s, layer 2’s, sidechains - whatever), more and more value will be locked into bridge contracts and tey will become multi-billion dollar honeypots for attackers. The best thing we can hope for is that the developers of these bridges take security extremely seriously, put guardrails in place during the early days and warn users about the risks.
Have a great day everyone,
Anthony Sassano
Enjoyed today’s piece? I send out a fresh one every week day - be sure to subscribe to receive it in your inbox!
Join the Daily Gwei Ecosystem
All information presented above is for educational purposes only and should not be taken as investment advice.