A major hack shows us how far crypto still has to go – and that the first step might have to be backwards.
On Tuesday, the Nomad bridge was hacked for US$190 million, making it the fourth largest hack in crypto history.
In this case, a simple code error allowed attackers to rerun any transaction with their own address and have it complete. Cue absolute chaos as everyday users began siphoning off Nomad funds like they were North Korea’s hacking elite. (Some have since shamefacedly returned their loot, having realised that they withdrew the money to their very much trackable .eth accounts.)
By this point it’s becoming increasingly clear that crypto bridges – protocols that allow users to transact between Layer 1 chains like Ethereum and Solana – suck. How much do they suck? Well, so far this year more than US$2 billion has been drained from cross-chain bridges in 13 hacks. We know crypto is risky, but keeping money on a bridge right now is like slathering yourself in fish entrails and taking a dip in the shark enclosure.
The technology simply ain’t ready. But there’s a chance it never will be and right now crypto as a whole might be better off getting back to the building blocks.
In the beginning
‘Keep it simple’ is the cardinal rule of programming. The more complicated code is, the greater the chance that something will break, or interact in an unexpected way and create a vulnerability.
Bitcoin v0.1.0 established the first blockchain back in January 2009. At 3000 lines, it’s a miracle of simplicity. While the code has grown in sophistication since then, the fundamental part of it – the blockchain itself – has been running uninterrupted ever since.
Part of Bitcoin’s appeal is the fact that it remains so structurally straightforward. Things holding Bitcoin have been hacked. Bitcoin has never been hacked. Tamper resistance has been built into its DNA.
But with every layer we add to the basic work of a blockchain – recording transactions on an unalterable ledger – we introduce complexity and increase the attack surface. At a certain point you’re putting an awful lot of faith in the developers to do their due diligence on a novel technology doing unprecedented things.
Bridging the divide
Interchain operability has become a credo, of sorts. It’s widely assumed that the cryptocurrency future will be one where all the different layer-1s – Ethereum, Solana, Avalanche, Cosmos, Algorand, Tezos, etc – are able to send value back and forth at the push of a button. Hence the need for bridges.
But when it comes to security, bridges are particularly vulnerable because they’re running blockchains linking to other blockchains using smart contracts. To add to the mess, they often run through apps or browser extensions that introduce an extra, and far more vulnerable layer to the stack.
In January, Vitalik Buterin, the creator of Ethereum, wrote of his expectation that the security issues afflicting bridges were, essentially, unsolvable. While his focus was on the almost certainty of 51% attacks – and the fact these haven’t happened yet should be frightening – the point remains that the further you abstract things the more unstable they become. And that’s a lesson it’s costing us billions upon billions to learn.
Blockchains not bridges
Back in 2015, a common refrain was ‘blockchain not Bitcoin’. It was a way of trying to separate the exciting new opportunities of blockchain technology from Bitcoin, whose primary use case at that stage appeared to be buying drugs online.
An updated mantra for 2022 may be ‘blockchains not bridges’. So much of what crypto has become over the last few years involves layers of programming and financial abstraction being piled on to what, at its base, remains a simple and powerful technology.
The issue goes deeper than code, though. It’s a symptom of crypto’s tendency towards the complex and the incomprehensible, a trend that began in DeFi summer and hasn’t let up since. Purpose has become increasingly occluded by mind-bending financial mechanisms, vesting schedules and multi-level incentive structures.
As this post argues, what happened to making a product that people actually want to use? Where’s the market fit? The seamless UX? The killer app? Or as FTX’s Sam Bankman-Fried puts it, the blockchains that have a “real positive impact on the world”?
Sure, maybe we’re still early. But if that’s the case, we might need to pay more attention to getting the basics right.
Luke from CoinJar
CoinJar’s digital currency exchange services are operated in Australia by CoinJar Australia Pty Ltd ACN 648 570 807, a registered digital currency exchange provider with AUSTRAC; and in the United Kingdom by CoinJar UK Limited (company number 8905988), registered by the Financial Conduct Authority as a Cryptoasset Exchange Provider and Custodian Wallet Provider in the United Kingdom under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (Firm Reference No. 928767). Like all investments, cryptoassets carry risk. Due to the potential volatility of the cryptoasset markets, the value of your investments may fall significantly and lead to total loss. Cryptoassets are complex and are unregulated in the UK, and you are unable to access the UK Financial Service Compensation Scheme or the UK Financial Ombudsman Service. We use third party banking, safekeeping and payment providers, and the failure of any of these providers could also lead to a loss of your assets. We recommend you obtain financial advice before making a decision to use your credit card to purchase cryptoassets or to invest in cryptoassets. Capital Gains Tax may be payable on profits.