Please note that the below was written for my client Stably and will be an upcoming post on their blog. Make sure to follow them!
— — — — — — — — — — — — — — — — — — –
Despite the recent crypto downturn, more and more blockchains are appearing. According to DeFiLlama, 130 blockchains now have over $100,000 in funds locked within their DeFi protocols (known as TVL, which stands for Total Value Locked). Since DeFi’s peak of just under $200B in TVL in late-2021, the total TVL in the DeFi ecosystem now stands at approximately $58 billion.
It’s therefore incredible that over $2 billion in assets have already been stolen from cross-chain bridges in 2022. Bridges enable the transfer of information and assets between blockchains, which often have challenges communicating due to various architectural decisions made such as different block sizes, consensus mechanisms, and network design.
Better interoperability is essential to mainstream blockchain adoption and is a heavily studied area. Yet, the recent hacks are extremely concerning as they not only undermine trust in the DeFi ecosystem itself, but many of the parties affected tend to be from developing nations where the incentives to use DeFi tend to be much higher than in developed nations.
Below, we’ll begin by providing an overview of these bridge hacks. However, this alone is nothing new in itself, and what’s especially interesting of our analysis is the fact that all bridge hacks to date have been custodial bridges rather than non-custodial (we’ll explain what these mean shortly). This is very important because although non-custodial bridges are in-line with the blockchain ethos of decentralization, they are also not yet where they need to be in order to reach mainstream adoption in a safe manner.
Many people much smarter than myself are constantly working on innovative solutions that will undoubtedly reduce the frequency and severity of future attacks, but it’s also clear that custodial bridges have a place for those seeking greater security and are fine with the centralization of a key piece of DeFi infrastructure.
Wait, What’s a Bridge?
As a quick refresher, a bridge is a protocol connecting two blockchains to enable interactions of data or value between them. They enable interoperability between blockchains that would otherwise be siloed to due incompatibility with others.
One reason for the importance of interoperability is that it unlocks innovation by enabling users access to other platforms, allowing various developers to build new products together, and providing DeFi protocol interoperability. Other reasons of importance include allowing developers to deploy products across various blockchains, promoting decentralization in the industry, and providing information and capital with an efficient means of transfer. In the future we expect many blockchains to grow, each with their own use cases and communities, and the ability for them to interact will be critical.
It’s in fact quite challenging to determine the first blockchain bridge but their need was spurred since the inception of Ethereum which launched in July 2015. As more smart-contract blockchains in turn were introduced, the need to connect them grew further. Even Solana’s Wormhole bridge was only launched in 2021, illustrating just how new they are to the ecosystem.
Many different types of bridges exist. For the purpose of this article, we will break them down into solely two categories, which are:
a) Custodial (also known as Trusted or Centralized)
b) Non-Custodial (also known as Trustless or Decenralized)
A custodial bridge refers to one that depends on a central entity, requires users to give up control of their crypto assets, and generally relies on the reputation of the operator. In contrast, a non-custodial bridge refers to those that use smart contracts and algorithms, enable users to maintain control of their assets, and do not rely on any single entity.
There are further ways to divide bridge categories as well. The below lists various existing bridges categorized by function, with each category being explained here should they be of interest.
Non-custodial bridges are extremely innovative and have an incredibly important role in developing the entire blockchain ecosystem. However, they are also comparable to algorithmic stablecoins in the sense that while they are smart in theory, in practice they are quite new and prone to unintended consequences.
This has been no clearer than through the $2B in bridge hacks thus far this year, which include:
- Nomad Bridge: $190M was stolen in August 2022 due to a vulnerability in smart contract code.
- Harmony Bridge: $100M was stolen in June 2022 after a PDF containing a virus infiltrated a computer which held on it 2 of the 5 private keys needed to send funds.
- Ronan Bridge: $600M was stolen in April 2022 from the Ethereum sidechain used for playing Axie Infinity. 4 private keys were compromised, as well as a 3rd party validator run by a DAO, enabling the theft of funds.
- Solana Wormhole: $320M was stolen in February 2022 when a hacker was able to mint 120,000 wrapped ETH, which they then exchanged for both regular ETH and SOL.
- Qubit: $80M was stolen in January 2022 due to a smart contract code bug.
It’s important to note that all of the above are non-custodial bridge hacks. In contrast, we’ve had significant trouble in finding evidence of any custodial bridge hacks to date. That’s not to say that centralized parties can’t be harmed, such as in 2019 when $40M was stolen from Binance. However, their bridges have not been affected, and when it comes to recourse in the event something goes wrong, only regulated custodial solutions have a legal obligation to worry about compensating users for their losses. In the event of a custodial breach, it’s also likely that government would intervene to help compensate for losses if need be.
How Does a Custodial Bridge Work?
This is a good chance to discuss Stably Bridge, our custodial bridging solution.
Stably works with Prime Trust, a Nevada-based Trust Company. Using our stablecoin Stably USD ($USDS) as an example, we could consider a situation where I have $USDS on Harmony, the blockchain where we most recently natively issued our stablecoin. If I wish to bridge my $USDS from Harmony over to our upcoming blockchain, Ripple XRPL, I could use Stably Prime to do so, which is built upon Prime Trust’s API.
Because every $USDS is redeemable for a real USD, I could begin by “burning” my $USDS via Prime Trust, which credits my account with the relevant number of USD credits. I could then use this USD to “mint” $USDS onto another blockchain of my choice. Given that the equivalent in real USD’s exists, this is completely safe and totally legal. Additionally, it’s built upon Prime Trust’s API which means that for a hacker to steal my $USDS, they would essentially have to hack Prime Trust itself which is as hard as hacking any normal Trust company or Bank (hint: very hard).
We’re not saying that this is impossible, but it’s definitely a lot more challenging than finding a weakness in a new non-custodial bridge. Several reasons exist such as the fact that often attacks are due to human error (like a phishing attack) whereas centralized parties have strict internal protocols.
Why doesn’t everyone just use a custodial bridge then?
It shouldn’t be surprising that not everyone trusts large establishments, and that’s totally fine. This centralization is non-negotiable for many and is a reason that they’ll choose to use a non-custodial bridge. Additionally, there could be other concerns such as regulatory changes, or government mandates to centralized parties.
Institutional adoption is coming and in our opinion, we do not think that decentralized bridges would make sense for these institutions that have Fiduciary duties to protect the funds of their clients. In the event of any breach, they would be severely sought-after by regulators and likely be dragged through numerous lawsuits and penalties. It would make much sense for them to use a centralized bridge, such as Stably Bridge.
At the same time, it’s also clear that many users will opt for non-custodial bridges, especially many of the whopping 1.7B global unbanked citizens who may be unable to use a centralized institution for a variety of reasons. It can also be simpler to use a non-custodial bridge, which may only take 1-step to transfer funds rather than the often 2+ steps required of a centralized bridge.
Other Interoperability Solutions
It’s important to know that bridges aren’t the only way of communicating between blockchains. For example, LayerZero based out of Vancouver, Canada uses primitive-level communication between blockchains to transfer either information or crypto assets. They reference centralized and decentralized exchanges as alternatives for moving assets, which are just other ways to consider centralized (custodial/trusted) or decentralized (non-custodial/trustless) bridges.
Therefore, LayerZero is not necessarily a bridge itself but a communication primitive for transferring assets between blockchains, in a sense acting as a bridge.
This is simply interesting to know in order to understand other interoperability solutions being worked on.
Conclusion
There is a huge need for interoperability between blockchains and yet non-custodial bridges are in their infancy, prone to hacks that harm trust in them with devastating effects on the users. Custodial bridges provide a much safer alternative, at the expense of centralization which many oppose. Further innovation in decentralized bridges can be expected to reduce instances of hacks, but it’s likely that more hacks will continue in the near future despite all the industry efforts to improve them.
Users should be aware of both types and the trade-offs of each. By continuously improving the architectures and security of both, blockchains will be able to interact much more seamlessly which will unlock use cases, many of which are unimaginable at the moment.
