320 Million Dollar Solana Bridge Hack exposes the vulnerabilities of bridges, not your keys, not your crypto!

shortsegments in #hive-167922 • 3 years ago

320 Million Dollars

Solana Wormhole

Lets unpack this briefly:

Solana is a 2nd layer solution on Ethereum
Solana has a very complex bridge between it and Ethereum,called Wormhole.
Wormhole sounds like advanced science and technology and gives us a sense of safety.
But Wormhole was new code, and therefore possessed potential unknown vulnerabilities.
Plus it was not trustless, which is a core component of cryptocurrency blockchain security.
So lacking this core security component and being new code, it’s potential failure is a known risk. So this means the bridge failure is not surprising.
Additionally, add in the lure of large amounts of Ethereum, the failure becomes even more likely.
But this is very educational.

Bridges are not secure

In the beginning there was Bitcoin
Bitcoin is a solution to a problem.
And more importantly Bitcoin is a safe solution to a problem because it is protected by the five core principles of cryptographic security.
If a solution to a problem doesn’t use all five security features that compromises security.
Bridges are a solutions to problem, which lacks the cryptographic security feature of trustlessness.
This is a point of vulnerability which can allow tokens to be stolen.

Bridges.

When we look at Bridges we must understand that the majority are not trustless, they are trusted, as in at some point in the process, we give up control or possession of our tokens and trust a human or code to give them back.
Trustlessness is a core security feature of decentralized cryptographic systems.
Bridges are usually one step in a long list of steps an investor completes to invest in decentralized finance.
Unfortunately the lack or absence of trustlessness means that Bridges can be the weakest point in the security of a process.

Trustlessness and cryptographic security, not your keys, not your crypto.

Bridges are not fully secure because on of the main components of cryptographic security is that your tokens remain in your wallet, secured by your keys at all times.
Because bridges require you to transfer assets out of your wallet, to a wallet not protected by your private keys and not controlled by your private key, you no longer control your crypto and someone who can access the private keys to this new wallet can steal your crypto.

Bridges in brief

Bridges are trusted solutions because you trust a human or trust code to possess your tokens as a critical step in carrying out a function or task.
The task is receiving/holding tokens on one blockchain, and sending or restoring the value of those tokens on another.
Simply put when you send your Hive to a bridge on Hive, your sending it to a wallet on Hive, controlled by the bridge. The bridge then sends you the value of your Hive on another blockchain, in the form of another token.
Hive tokens never leave the Hive blockchain, only the value of your tokens is transferred to the other blockchain.
It is important to understand that you are trusting the bridge because you are giving them your tokens.
You are no longer in possession of your tokens.

Example:

hive is a Hive blockchain token.
binance smart chain hive or b-hive is a binance smart chain token
if you send five hive to the Hive Binance Smart Chain Bridge
your hive stays in the bridge wallet on the Hive blockchain.
your wallet on the Binance Smart Chain receives five b-hive not five hive
your hive never leaves the Hive blockchain, but it's value leaves the Hive blockchain and this value is represented on the Binance Smart Chain as b-hive.

Many of these bridges are humans.

The human sees your hive come into the Hive bridge wallet
The human sends you b-hive on the Binance Smart Chain to your Binance Smart Chain wallet.
The human holds your hive as collateral on the Hive blockchain, for the b-hive they give you on the Binance Smart Chain.
The humans are a source of security failure.

Some of these bridges are code.

The code sees your hive come into the Hive bridge wallet
The code sends you b-hive on the Binance Smart Chain to your Binance Smart Chain wallet.
The code holds your hive as collateral on the Hive blockchain, for the b-hive the code gives you on the Binance Smart Chain.
The code the holder of your hive on the Hive blockchain, in the code wallet.
The code becomes the source of failure.

Vitallic Buterin, the creator of Etheteum, talks about this as well.

Vitallic says that second level solutions are the most important development in the scaling of ethereum to meet demand.
Vitallic says that cross blockchain transfer of value is the most important technology needed for second layer solutions to work.
Vitallic says that bridges are the biggest point of vulnerability in the cross blockchain ecosystem.

Let’s step back a moment

It is not my purpose to criticize, but to shine some light on this topic.
Many pieces of code have points of vulnerability.
But hackers don’t usually exploit vulnerabilities unless there is a big reward.
So what I am saying is that the coders who made wormhole are not bad coders, but that trusted bridges are by definition vulnerable points in the journey your tokens make in cross blockchain trade.
And when there is enough value being transferred over this bridge to motivate the hackers to take the time and effort to hack it, a hack may happen.

A metaphor of parents and children

Parents hold their children’s hands when they cross the street or when they are in a crowd to protect them from strangers. Parents maintain this control as a means of security.
Your tokens in your wallet are like your children, and the firm gripo of your hand is replaced by your private keys. Your keys keep your tokens safe. When tokens are no longer under the protective control of your private keys, their security is compromised.

Last word

You don’t have to trust my words or those of Vitallic Buterin. You have eyes to see and ears to hear. You have now seen the hack of the wormhole and the theft of 320 million dollars worth of Ethereum. You have now seen, that even in a sophisticated system, where the bridge isn’t a human, the bridge remains a point of vulnerability.

You now understand that the most secure place for your cryptocurrency is in a wallet, controlled by your private keys. This truth is the use case for Thorchain. Thorchain allows decentralized finance like lending, borrowing, exchanges, yoeld farming and liquidity provision to occur without the need for bridges through sophisticated and complicated systems which are trustless and your tokens are in your possession, under the control of your keys. This is why Thorchain is still relevant, perhaps now more then ever, because Thorchain eliminates the need for trusted Bridges and fixes the issue of trusted processes or trusted intermediaries, and replace them with trustless systems.

Trustlessness is not an academic concern, it is a core security feature of cryptocurrency.

Penned by my hand, this day, the 11th of February, 2022