Hackers feast on crypto weak link and even Binance isn’t spared

There’s a gaping hole in the crypto industry’s security architecture, and even the deepest-pocketed players haven’t figured out how to close it.

The vulnerability in question is what is known in the technical jargon as cross-chain bridges – software that allows crypto tokens to move between different blockchains.

On Thursday, a hacker made off with about $100 million over a bridge used by Binance Holdings Ltd., the largest crypto exchange.

“The worrying thing is that Binance are no fools, Binance has capital and resources and can hire the best,” said Paddy Cerri, chief architect at blockchain startup Minima. “If they cannot, who can build a safe bridge?”

A total of 2 million Binance Coins — equivalent to almost $570 million — were effectively minted and stolen by the hacker. Binance said in a statement that the incident was limited to the BNB chain, over which it exercises no control. About $100 million of the stolen funds were not recovered, according to the statement, while the rest were frozen. No user funds were lost, Binance added.

The inability to secure bridges — Chainalysis estimates that $2 billion worth of tokens have been looted in 13 separate attacks, most of which have been stolen this year — poses a fundamental dilemma, as without such platforms, large blockchains are left by Ethereum to Solana largely get separated from each other. The vision behind web3, dubbed by the protagonists as the next iteration of the internet, relies in part on tokens flowing freely between different ecosystems.

According to Kunal Goel, Research Analyst at Messari, protocols built on cross-chain bridges and interoperability have underscored the demand for this technology, raking in around $347 million from 30 deals since 2021. LayerZero had the largest deal raising $135 million, but most deals were seed rounds, Goel said.

But even well-financed bridges that were built specifically “safety-oriented” were not spared. In August, one such bridge called Nomad — which uses a transaction verification method said to be more secure than that of other cross-chain platforms — was hit by a $200 million hack.

One of the biggest challenges in building secure bridges is their complexity, which offers hackers many potential entry points. And there are few skilled experts who can build and secure them, say security analysts and blockchain developers. Bridge developers not only need to know exactly how the software works, but also how the various blockchains it connects to work. According to analysts and programmers, finding someone with this know-how is not easy.

“I’ve studied distributed computing and consensus, but I have to say I don’t understand bridges well,” said Paul Frambot, chief executive officer of crypto startup Morpho Labs, which developed a new protocol. “This is very difficult to understand well and therefore even more difficult to build safe ones.”