320 Million Dollars
Solana Wormhole
Lets unpack this briefly:
- Solana is a 2nd layer solution on Ethereum
- Solana has a very complex bridge between it and Ethereum,called Wormhole.
- Wormhole sounds like advanced science and technology and gives us a sense of safety.
- But Wormhole was new code, and therefore possessed potential unknown vulnerabilities.
- Plus it was not trustless, which is a core component of cryptocurrency blockchain security.
- So lacking this core security component and being new code, it’s potential failure is a known risk. So this means the bridge failure is not surprising.
- Additionally, add in the lure of large amounts of Ethereum, the failure becomes even more likely.
- But this is very educational.
Bridges are not secure
- In the beginning there was Bitcoin
- Bitcoin is a solution to a problem.
- And more importantly Bitcoin is a safe solution to a problem because it is protected by the five core principles of cryptographic security.
- If a solution to a problem doesn’t use all five security features that compromises security.
- Bridges are a solutions to problem, which lacks the cryptographic security feature of trustlessness.
- This is a point of vulnerability which can allow tokens to be stolen.
Bridges.
- When we look at Bridges we must understand that the majority are not trustless, they are trusted, as in at some point in the process, we give up control or possession of our tokens and trust a human or code to give them back.
- Trustlessness is a core security feature of decentralized cryptographic systems.
- Bridges are usually one step in a long list of steps an investor completes to invest in decentralized finance.
- Unfortunately the lack or absence of trustlessness means that Bridges can be the weakest point in the security of a process.
Trustlessness and cryptographic security, not your keys, not your crypto.
- Bridges are not fully secure because on of the main components of cryptographic security is that your tokens remain in your wallet, secured by your keys at all times.
- Because bridges require you to transfer assets out of your wallet, to a wallet not protected by your private keys and not controlled by your private key, you no longer control your crypto and someone who can access the private keys to this new wallet can steal your crypto.
Bridges in brief
- Bridges are trusted solutions because you trust a human or trust code to possess your tokens as a critical step in carrying out a function or task.
- The task is receiving/holding tokens on one blockchain, and sending or restoring the value of those tokens on another.
- Simply put when you send your Hive to a bridge on Hive, your sending it to a wallet on Hive, controlled by the bridge. The bridge then sends you the value of your Hive on another blockchain, in the form of another token.
- Hive tokens never leave the Hive blockchain, only the value of your tokens is transferred to the other blockchain.
- It is important to understand that you are trusting the bridge because you are giving them your tokens.
- You are no longer in possession of your tokens.
Example:
- hive is a Hive blockchain token.
- binance smart chain hive or b-hive is a binance smart chain token
- if you send five hive to the Hive Binance Smart Chain Bridge
- your hive stays in the bridge wallet on the Hive blockchain.
- your wallet on the Binance Smart Chain receives five b-hive not five hive
- your hive never leaves the Hive blockchain, but it's value leaves the Hive blockchain and this value is represented on the Binance Smart Chain as b-hive.
Many of these bridges are humans.
- The human sees your hive come into the Hive bridge wallet
- The human sends you b-hive on the Binance Smart Chain to your Binance Smart Chain wallet.
- The human holds your hive as collateral on the Hive blockchain, for the b-hive they give you on the Binance Smart Chain.
- The humans are a source of security failure.
Some of these bridges are code.
- The code sees your hive come into the Hive bridge wallet
- The code sends you b-hive on the Binance Smart Chain to your Binance Smart Chain wallet.
- The code holds your hive as collateral on the Hive blockchain, for the b-hive the code gives you on the Binance Smart Chain.
- The code the holder of your hive on the Hive blockchain, in the code wallet.
- The code becomes the source of failure.
Vitallic Buterin, the creator of Etheteum, talks about this as well.
- Vitallic says that second level solutions are the most important development in the scaling of ethereum to meet demand.
- Vitallic says that cross blockchain transfer of value is the most important technology needed for second layer solutions to work.
- Vitallic says that bridges are the biggest point of vulnerability in the cross blockchain ecosystem.
Let’s step back a moment
- It is not my purpose to criticize, but to shine some light on this topic.
- Many pieces of code have points of vulnerability.
- But hackers don’t usually exploit vulnerabilities unless there is a big reward.
- So what I am saying is that the coders who made wormhole are not bad coders, but that trusted bridges are by definition vulnerable points in the journey your tokens make in cross blockchain trade.
- And when there is enough value being transferred over this bridge to motivate the hackers to take the time and effort to hack it, a hack may happen.
A metaphor of parents and children
Parents hold their children’s hands when they cross the street or when they are in a crowd to protect them from strangers. Parents maintain this control as a means of security.
Your tokens in your wallet are like your children, and the firm gripo of your hand is replaced by your private keys. Your keys keep your tokens safe. When tokens are no longer under the protective control of your private keys, their security is compromised.
Last word
You don’t have to trust my words or those of Vitallic Buterin. You have eyes to see and ears to hear. You have now seen the hack of the wormhole and the theft of 320 million dollars worth of Ethereum. You have now seen, that even in a sophisticated system, where the bridge isn’t a human, the bridge remains a point of vulnerability.
You now understand that the most secure place for your cryptocurrency is in a wallet, controlled by your private keys. This truth is the use case for Thorchain. Thorchain allows decentralized finance like lending, borrowing, exchanges, yoeld farming and liquidity provision to occur without the need for bridges through sophisticated and complicated systems which are trustless and your tokens are in your possession, under the control of your keys. This is why Thorchain is still relevant, perhaps now more then ever, because Thorchain eliminates the need for trusted Bridges and fixes the issue of trusted processes or trusted intermediaries, and replace them with trustless systems.
Trustlessness is not an academic concern, it is a core security feature of cryptocurrency.
Penned by my hand, this day, the 11th of February, 2022
@shortsegments
Posted Using LeoFinance Beta
Interesting point about bridges, its hard to make them decentralized with smart contracts, as there needs to be a link between the chains, and usually that's code, and maybe its open source code, but its not immutable on a blockchain, sometimes just sitting on a centralized server. I don't know if there is a solution like chainlike which uses oracles to get data outside the blockchain into the block chain?
Hi @notak
Good question!
As I understand it, it is possible to provide trustlessness in decentralized finance with liquidity provision on Thorchain.
Trustlessness is maintained I believe by a combination of no bridges, no wrapping and it is possible to control your assets with your keys up onto the time of pairing. I need to revisit Thorchain as I studied it months ago as a theoretical construct, and now there’s a working product.
Posted Using LeoFinance Beta
I knew this is how the bridge works and the truth is that we need to have where we can use truthless service. That which you answer makes things better for use.
We are all moving to a more better and reliable source. We will get their one day.
Posted Using LeoFinance Beta
Exactly, this issue illustrates that we are very early in the evolution and development of this space. We are early adopters and that role is risky and lucrative.
Posted Using LeoFinance Beta
I think DeFi needs to undergo some drastic changes. DPOS or some type of system like that where you can delegate your resources and not risk them. Being they are still in YOUR wallet and you still control them. Unsure how that will work but I've seen a few early adoptions of it so far.
Posted Using LeoFinance Beta
Hi @bitcoinflood
You wrote :
Exactly!
This is Trustless.
Dexs show us the Trustlessness is possible for trading.
I agree that the wormhole hack illustrates the importance of Trustlessness.
Thorchain fixes this!
And that will be my next post!
Posted Using LeoFinance Beta
My fear on this Crypto, are many of this Crypto are easily hack. Many have lose money on this new Crypto.
Posted Using LeoFinance Beta
You are right.
Security is everyone’s fear.
But as we learn and understand, we will become more secure. You will be less fearful, as you become more knowledgeable. Knowledge truly is power.
Posted Using LeoFinance Beta
K
Posted Using LeoFinance Beta
:)
Hmm
Posted Using LeoFinance Beta
This same trust issue appears not just on bridges, but on EVERY dex.
You send your tokens to a smart contract and pray it won't get rug-pulled.
We have this awesome technology of smart contracts with the promise of trustless finances, but the current ones fail to deliver.
Posted Using LeoFinance Beta
Ha Ha HA... your right.
We are constantly confronted with trusted situations, even though we came here for the trustless security.
This is one reason the knowing the developers of the projects you invest in is so important. You should know who you are trusting.
Posted Using LeoFinance Beta
I hope we see an evm chain with some kind of delegation mechanics soon. Then we can build a dex where you don't have to trust, and the admins can't rugpull.
Posted Using LeoFinance Beta
You propose an interesting solution. Delegation is a perfect solution to trusted situations.
Posted Using LeoFinance Beta
I thought all the smart contracts based tokens were made from a code to be trusted to do the transactions. If codes are destinated to failure the same as human intersection, what is the decentralizated way to do it?
You explained everything very well, but i don't know if I'm the one that is confused :s
Posted Using LeoFinance Beta
P.S.
I went back and reworded much of this post. I think it’s clearer now. Please take a second look and let me know.
Thanks
Posted Using LeoFinance Beta
Yes it is! thanks for your time man, I appreciate it👍
No problem. We are all learning, and when I read your questions and improve my post, I also improve my understanding.
😊
Posted Using LeoFinance Beta
No worries, this stuff is complicated, and it is confusing for all of us. Which is why we meet here to compare notes and share our understanding.
I think of investing in DeFi like baking a cake.
Step one is assemble the ingredients. Step one has substeps. Step two is mixing the ingredients. This step also has substeps. Step three is the baking and there are several instructions for this last part.
DeFi is like this. There are several steps you need to go through and one is the gathering of ingredients and this step involves swaps and bridges. During these swaps and on the bridges your assets may not be under your control. These steps can be manually done or automated via code or smart contract. But if the manual or coded function involves a step where your tokens are no longer under your control, you are trusting the code with your tokens. And token loss can occur.
So the fact that your interacting with code or smart contracts isn’t the issue. It’s the fact that the code requires trust because your tokens leave your wallet and go to some one else’s wallet. This is the issue of trustless versus trusted. The bridge step is a high risk one for this reason.
Posted Using LeoFinance Beta
Not sure if you have heard of Richard heart, but even he was surprised to find out that the technology behind atomic swaps cannot be used at scale in the form of a trust less, admin keyless bridge. It might be possible that members of his community have solved this problem but until we actually see it working we are yet to see an admin keyless, trust less bridge. Best solution to this possible vulnerability is to not keep your coins on the bridge.
Posted Using LeoFinance Beta
I am not familiar with Mr Hart, or the scaling issue. [ On second thought that name is familiar, what is he known for?]
I know that finality and block time affect speed, but I didn’t realize scaling was an issue.
But if block time is a limiting factor, I think Mr Hart is correct.
Its interesting how we can always go back to the basics of how something actually works and learn more.
Thanks.
Posted Using LeoFinance Beta
He is that guy copying Ethereum... all ERC-20 tokens will be copied as PRC-20
Posted Using LeoFinance Beta
Okay, thank you for the information, I will look into it further. What are PRC-20 tokens?
Posted Using LeoFinance Beta
As I uñerstand them, they are the exact copy of all the ERC-20 from the Ethereum Blockchain but those will be on the Pulse chaine
Indeed, this hack formed a real crisis of confidence in the bridges
Yes, it has.
Posted Using LeoFinance Beta
I think it's a little bit unavoidable that things get hit with a hack. After all you can't avoid bugs in codes and it can happen to anyone. Even having it decentralized might decrease the chances but it can't completely stop it either.
Posted Using LeoFinance Beta
You are correct that hacks can happen and they are more common on new projects, using new code for new ways to perform old tasks. The solution can include old code that is vetted by time and multiple developers or new code with few or no trustless steps. The combination of new code and trusted steps is high risk. While old code and trusted steps is safer, old code and trustlessness is probably the safest.
Posted Using LeoFinance Beta
Great insight. I've been using bridges left and right and never thought about the underlying issues that may be present.
I'll be more careful from now on now that I know more about how do they work.
Posted Using LeoFinance Beta
Thank you. I use them a lot myself, and depend on them.But I never thought of their vulnerabilities. My time in crypto is like a visit to another country with a different language and different laws. It’s a trip of constant discovery.
🤞
Posted Using LeoFinance Beta
I am starting the find the metamask and contracts intimidating as I can't read the contracts, it's impossible for me to not have to "Trust" someone.
Thankfully we have Khal and the Leo Team for our Cub Farms.
Posted Using LeoFinance Beta
Exactly.
We all signed up initially for trustlessness, but got anonymous trusted instead.
I agree this is why Leofinance and Cub are so valuable. We know who are trusting.
Posted Using LeoFinance Beta
Preach it.
Posted Using LeoFinance Beta
well we have a lot of hacks in crypto history but that is true, not your key, not your crypto some learn it the hard way
Posted Using LeoFinance Beta
Yes, most of the hacks target wallets containing the tokens of individual investors, which are invested in projects. These are trusted situations, the smart code needs to be audited and old, the developer needs to be known, and knowledgeable. This informatio is learned when you do your due diligence. And these things reduce risk.
Posted Using LeoFinance Beta
During this time of hacks of bridges this is a timely and welcome post.
Posted Using LeoFinance Beta
Thank you for the compliment. I hope this helps people protect themselves from hacks.
Posted Using LeoFinance Beta
Your welcome!
;)
Posted Using LeoFinance Beta
This explanation is concise and awesome. I was waiting to see thorchain come up and it did. Nice.
I think bridges are just necessary evils, cuz in reality we need them till we get something better.
Posted Using LeoFinance Beta
Thank you!
Yes, I had to because Thorchain fixes this.
Exactly!
We are pioneers and explorers in a new world!
We are venturing here at our own risk and both the rewards and risks are great.
🙏🤞
Posted Using LeoFinance Beta
Hi Shortsegments,
This is such a valueable and important concept.
I truly think it's awesome.
I tried to write about this today, but I must admit you did a better job. I see my now feeble attempt, as incomplete. I wish you would write an abbreviated version of this post. Because many maynot take the time to read it, and it is indeed beautiful.
I especially love the phrase decentralization is not a academic concern, it is a security concern.
I submit to you a challenge:
How would you summarize what you said here in as few words as possible? For those with no patience for reading 1254 words.
Posted Using LeoFinance Beta
UPvoted and reblogged, if I could afford it, I would promote it.!
Posted Using LeoFinance Beta
The wormhole hack came quite early in the year. I guess there's no end in sight for DeFi hacks. Because we'll always have hackers in the space looking for loopholes to capitalize upon.
Absolutely! The safest place to store your assets appears to be a wallet, either hot or cold. Sadly, I learnt this the hard way as I suffered victim to an exchange hack.
On the whole, there is need for some DeFi protocols to heighten their security standards.
Posted Using LeoFinance Beta
I agree…
They are all vulnerable, and security is a longterm effect of patching/fixing vulnerabilities. Solana is a new generation of blockchains, with a different consensus mechanism. It’s exciting but it’s new, and we don’t yet know all it’s vulnerabilities. I don’t know if Solana knows all their vulnerabilities.
Exactly, why do Tibet’s rob banks. LOL
We all do this and we are all susceptible to loss. Sorry to hear it happened to you. We should all remember that one of us are immune. As the Folk tale says:
Posted Using LeoFinance Beta
I'm sure the grace of God will want us to be more careful...😁
Speaking of which,
If this is the case, what is the aim of auditing?
Posted Using LeoFinance Beta
Ha Ha Ha
I think this is both a funny and illuminating question. It seems that audits focus on know or old vulnerabilities. I don’t know how good they are at recognizing new ones.
Posted Using LeoFinance Beta
That's a sad situation then. It's necessary that focus be channeled on discovering loopholes and fixing them.
Posted Using LeoFinance Beta
True.
Fortunately this is an evolving space and audit companies are evolving also, but for now caution is imperative.
Posted Using LeoFinance Beta