I recently came across an interesting discussion post in the MakerDAO forum which reviewed some of the past bridge hacks in order to understand where vulnerabilities occured and how to potentially improve to avoid the same pitfalls.
To analyze the failings and come up with improvements around due diligence, bridge design, and other risk parameters, the MakerDAO and Starknet Engineering teams looked into the Ronin Bridge ($624 Million), Poly Network ($611 Million), Wormhole ($326 Million), Nomad ($190 Million), Harmony’s Horizon Bridge ($97 Million), Qubit ($90 Million), ThorChain ($5 Million), Meter’s Passport Bridge ($4.4 Million), and Chainswap ($4.4 Million) hacks.
The result of the review was that there were five key areas which resulted in the exploits.
- Smart Contract Bug
- Underlying blockchain implementation bug
- Offchain infrastructure bug
- Crypto key exploit
- Key security risk assumption failure
The full notes of the reviewed hacks can be found here.
In conclusion, the post covers the learnings found through the review. Areas critical in ensuring the security and integrity of a bridge needs to take into consideration a lack of decentralization as exampled in the Ronin and Harmony Protocol’s Horizon bridge hacks, implementation of ad hoc design changes and procedures which are often done with good intentions but can cause critical faults when not properly thought through or rolled out, clarity around access rules and management of critical pieces of infrastructure which needs to consider the different parties working on a bridge and minimizing access to code deployment and those responsible for reviewing deployments should ideally be separated, deploying changes or updates without prior audit was identified as a key area which is overlooked in haste or completely ignored to the detriment of the project in the majority of the reviewed bridge hacks, public github repo leaking critical information is another area where equal care is needed in how team’s approach maintaining their repos, system affecting authentication and verification is another area which needs critical attention in ensuring all internal security checks and balances are adhered to and finally to limit ad hoc processes while sounds obvious can be difficult to stick with and needs to be consciously adhered to.
The post also goes on to cover plans for emergency and systems that can be put in place to potentially reduce the impact of a hack. To read the full forum post, you can do so at https://forum.makerdao.com/t/bridge-hacks-review-and-learnings-for-maker-teleport/17549