Bridges to Nowhere- Why Bridges get Hacked and how the IC Will Solve the Bridging Dilemma

Bridges to Nowhere- Why Bridges get Hacked and how the IC Will Solve the Bridging Dilemma

Over the last year, many blockchains have sprung up, taking inspiration from the Ethereum platform. These blockchains copy Ethereum's code, making changes depending on how they intend to differentiate themselves. Some offer lower fees, others have different governance structures, and some have different consensus algorithms.

However, in general, these blockchains all have the same base layer, and they have the same app development tools. This structure, cloning the Ethereum code to make your own blockchain, is called the Ethereum Virtual Machine model, or EVM for short. There are notable exceptions to this model, where blockchains have built their own consensus mechanisms and application development tools from scratch, independent of Ethereum. These are non-EVM blockchains. Some examples of this include Solana, NEAR, and the Cosmos ecosystems. This also includes Bitcoin; however, it is not a smart contract platform.

A smart contract platform is a blockchain that allows you to develop and upload smart contracts for other users to interact with. A smart contract itself is a piece of code that is uploaded to the blockchain and can be interacted with. For example, you can make a smart contract that takes in a certain amount of money and then splits that money among two recipients.

More complicated smart contracts are ones such as lending and borrowing platforms, yield farms, liquidity pools, and more. Even tokens themselves are smart contracts! One benefit of so many new smart contract platforms becoming available is the variety of decentralized applications that more users get access to. Ethereum also has had historically very high gas fees, and more blockchains offer cheaper gas, some even being less than a penny.

The Issue With More Blockchains

More blockchains give more people access to various decentralized applications. However, it does come at a slight cost. Assets that are created on Ethereum are not necessarily available on other blockchains like Avalanche or Fantom. This is important because assets should ideally be freely traded on any blockchain. Even highly important assets like USDC, the second largest stablecoin by market cap, are only on Ethereum.

This is where bridges come in. Bridges enable assets to be traded between different blockchains. This is an important component of a healthy ecosystem. Bridges allow to move assets that are on one blockchain to another, allowing them to be traded on other chains where they are wanted or needed. This is how USDC is the most widely used stablecoin because bridges allow it to be transferred from Ethereum to any other chain where they are needed, whether it be Avalanche, Fantom, Polygon, Binance Smart Chain, or even Solana and Terra, which are non-EVM chains.

While defi bridges certainly do increase the composability, interoperability, and general utility across the cryptocurrency ecosystem, they suffer from one fatal flaw. That is, they are a central vulnerability for hacks due to their complex nature and the sheer amount of funds they hold. Within the last year, bridges have accounted for a majority of the total funds stolen across all of the crypto ecosystem. Massive bridge hacks have occurred on average every few months, and each losing extremely large amounts of user funds.

Some bridge hacks in the last couple of years have included the Axie Infinity Ronin bridge hack, losing users $625 million, the Wormhole bridge hack costing users $300 million, the Harmony bridge hack losing users $100 million, and just this last week the Nomad bridge hack, losing users almost $200 million. Among others, these hacks show the sheer amount of financial loss incurred by bridge hacks and the semi-regularity with which they happen. Therefore, while defi bridges undoubtedly serve a useful purpose, they come with the inherent risk of large-scale hacks that can cause significant user losses.

Why are bridges vulnerable, and how do they work?

A question many users have is, “how can bridges even be hacked?”. This is a common question because many users think once they bridge their funds, they have the same funds on their new chain. It’s a reasonable assumption, given you may bridge USDC from one chain and receive the same USDC on another. However, this is not what is truly going on under the hood. The explanation is rather technical, but it’s worth taking a moment to understand.

In reality, truly bridging tokens across blockchains is not possible. EVM blockchains cannot communicate with one another in such a way that allows for tokens to be moved from one to another. When you bridge USDC from Ethereum to Fantom, you are not truly receiving the same USDC on Fantom. This is where the attack vector comes in and why your funds are at risk, even if it's not your personal wallet that gets hacked.

For the sake of demonstration, imagine a hypothetical bridge protocol named Bad Bridge. Bad Bridge allows you to bridge your USDC from Ethereum to Fantom. Bad Bridge states that they use secure smart contracts and are backed by large organizations that make sure they cannot be hacked. Say you decide to bridge your USDC because you want to take advantage of the low gas fees on Fantom. You bridge your USDC over, and you receive USDC on Fantom.

In actuality, this is not the case! You actually receive a brand new token created by Bad Bridge that represents USDC sent through their bridge. This token may be called badUSDC, signaling that it is not the real USDC but a bridged version of it. Because you own badUSDC, you can at any time bridge it back through Bad Bridge to get your real USDC back on the Ethereum chain. In the meantime, you can use badUSDC to perform all the regular functions you would use USDC for on Ethereum but on Fantom instead. This is because platforms will build around the most common bridged asset types. One side effect of them doing this is that they will frequently abbreviate the name, simply opting to call badUSDC USDC instead.

Because badUSDC is always redeemable for USDC on Ethereum, there is usually never an issue, and for all intents and purposes, badUSDC is USDC. This is until the bridge gets hacked on the Ethereum side. A bridge hack can happen in any number of ways, but once Bad Bridge gets hacked despite all their security claims, their USDC on Ethereum will be stolen. How does this affect you? Well, as each badUSDC is being redeemed on Ethereum in exchange for one USDC, the USDC being stolen out of the bridge on the Ethereum side means there are no longer funds to honor the redemption of badUSDC. This means that badUSDC holders no longer have a claim to one USDC, because Bad Bridge does not have the funds to pay them back.

The implication of this is that all the USDC on the Fantom chain in this hypothetical scenario (this did not really happen on Fantom!) will become worthless since it is no longer backed by USDC on Ethereum. Even if you only held badUSDC in a DEX, a lending protocol, or even just in your wallet, it will become worthless since it’s no longer backed by a real USDC. This is how bridges are vulnerable to hacks and why the hacks are always so large. A medium-sized blockchain can have millions of dollars of USDC on them, and if a bridge gets hacked, the entire chain becomes full of unbacked USDC, wreaking total havoc and irrecoverable losses.

Okay, I don’t want to use a bridge. How can the IC help me?

The Internet Computer solves the bridging issue quite simply by not using bridges. Something that has never been done before in the world of defi is interacting with other blockchain assets without bridging those assets over. For example, it's impossible on any other blockchain, obviously excluding Ethereum itself, to provide liquidity with ETH without bridging ETH to that blockchain. This means bridges are required, and funds are vulnerable.

The Internet Computer solves this by simply integrating with the Ethereum network directly, completely removing the need for bridges. When you use the Internet Computer, sending ETH from your Internet Computer address is the same as sending ETH from your Ethereum address. Each wallet on the Internet Computer, if it holds ETH, holds that ETH on the corresponding wallet on the Ethereum blockchain. This means there is no centralization risk or risk of theft or loss of funds due to a hack, double spending, or any other issues that can occur as a result of a bridge hack.

Not only will the Internet Computer be integrating with ETH, it will also be integrating with Bitcoin as well! With massive improvements in this bridgeless infrastructure type model, it becomes possible to use defi applications without needing to risk your funds with a bridge. Now, if you want to provide liquidity with your Bitcoin on the Internet Computer, you simply send Bitcoin from your Bitcoin wallet to the decentralized exchange's Bitcoin wallet. Then, users can trade Bitcoin on the IC directly without being exposed to risky bridges.

Both Bitcoin and Ethereum will be transacted on the Internet Computer but will be done so by using the actual original networks under the hood. A transaction on the IC involving Bitcoin will move those on the Bitcoin Network instead of only symbolically on the IC. This limits the hacking risk to individual applications at worst, and the whole network will never be at risk due to a faulty bridge.


​​Many chains are unable to avoid using bridges and are forced to compromise security for convenience. EVM chains like Avalanche, Fantom, and Polygon all must bridge assets from other chains such as Ethereum. Even non-EVM chains like Solana must bridge assets from other chains. Currently, USDC on most Cosmos chains such as Terra are bridged versions of USDC. While these funds are safe for now, and the bridge in question takes every precaution to make sure they aren't hacked, at the end of the day, it's still a risk. Bridged USDC holders on Cosmos chains may or may not be aware of the risk, but in the unlikely event that the bridge gets hacked, millions could be lost.

This is not to spread fear surrounding bridges, as there are many bridges that haven't been hacked and have exceptional safety practices, but it is to make sure that defi users are aware of potential risks. The alternative to taking such a risk is instead to use the Internet Computer!

The Internet Computer uses bridgeless architecture, making sure that assets are always stored off of the Internet Computer in their native forms, never centralized into a hackable bridge, and ultimately transacted on their native networks. For example, instead of bridging ETH from Ethereum and storing it on the Internet Computer, on the IC, you'll instead just use ETH on Ethereum from the Internet Computer, and it would be as secure as it would be on Ethereum itself.

Stay vigilant, and make sure your crypto stays safe!

Connect with InfinitySwap

Twitter | Website | Telegram | Discord | Github

Twitter | Website | Telegram | Discord | Github

*Disclaimer: While every effort is made on this website to provide accurate information, any opinions expressed or information disseminated do not necessarily reflect the views of InfinitySwap itself.