Blockchain bridges are essential components of the DeFi ecosystem, without them, everyone would be stuck in one network without the ability to move assets quickly and explore the Web3.
This convenience, however, comes at a cost. So far, three of the biggest DeFi exploits ever were bridge-related:
On the 23rd of March, more than $600 million were stolen from the Ronin bridge due to the attacker gaining access to five validator keys needed to sign malicious transactions.
Less than two months prior to that Wormhole was drained for $300 million through an elaborate smart contract vulnerability.
In one of the weirdest sagas in crypto, a hacker stole around $600 million from the Poly Network in August last year but later returned almost all of the funds.
Vitalik Buterin himself has expressed concerns over cross-chain applications and their security, but it is obvious that bridges are not going anywhere, so what exactly makes the bridges secure, and what the future might hold for them?
Countries and messengers
You can think of blockchains as different countries with their own sets of rules and validators as the residents of those countries. There is no way for a person to know what is happening behind the border (because one can’t be at two places at the same time), similarly, Avalanche has no idea of what is happening on Ethereum or any other network.
Therefore the need for a messenger arises - there must be someone who would take a message from one country, translate it if necessary and move it across the border. Bridges are these messengers.
Although theoretically all kinds of messages are possible the most popular use case for blockchain bridges is transferring fungible tokens. This is usually done by locking them on a source chain and issuing “wrapped” versions backed 1 to 1 on the destination chain.
But what if something happens with the courier, or worse if they decide to alter the contents of the message to extract some sort of monetary gain? They would be either able to mint unbacked tokens or steal the deposits. The assets on a destination chain would no longer be fully backed and be worth much less than the originals.
Decentralisation
So how do we ensure the messages are not tampered with? The naive solution would be for some very well-known entity like a centralised exchange to pass messages and store the bridged assets. In this case, potential economic gain from exploiting the “bridge” would be balanced out by the reputation costs. For example, BitGo serves as a custodian for the WBTC (the biggest wrapped version of Bitcoin by market share), which is available on Avalanche as WBTC.e.
The centralised approach often works and sometimes is the only solution, but it doesn’t really fit with the spirit of DeFi and it carries significant risks (e.g., one entity holding all the funds being exploited). So what’s the solution?
Ideally, we would want to avoid the central point of failure and never trust one party exclusively. The solution the existing Avalanche Bridge employs consists of an Intel SGX application and eight wardens that each index both Bitcoin and Avalanche blockchains.
SGX or Software Guard Extensions encrypts a portion of the computer memory creating an “enclave” that is not accessible from the outside making it ideal for storing private keys. Wardens are the ones actually passing the bridging messages, they are big trusted companies (e.g., Halborn is one of the leading blockchain security firms and Ankr is a major infrastructure provider in Web3) with a stake in the wider Avalanche ecosystem.
For the bridge to be exploited the supermajority (six out of eight) of the wardens would have to collude with each other. This is a much better system than relying on just one entity, but it is still far from being completely decentralised. The theoretical ideal bridge would allow users to bridge with the same level of security as provided by the blockchains they want to bridge between.
Trustlessness
The majority of existing bridges are external, which means that some third party acts as a messenger. It can be one CEX, multiple wardens, or a multisig, but the essence doesn’t change - when the user moves tokens between Avalanche and Ethereum through an external bridge their funds are no longer secured by validators of these chains but by those running the bridge.
Native bridges solve this problem by using validators of the underlying chains to pass and verify the messages. The most famous example of such technology is Cosmos’s Inter-Blockchain Communication protocol (IBC). It works by essentially running a node for one chain inside another, connecting the two. In the example with two countries, this would be akin to having dual citizenship. When bridging using the IBC the user’s tokens are as secure as the chains involved.
This strength, however, is also the biggest weakness of native bridges - they have to be built specifically for each type of blockchain they connect. IBC works for Cosmos because all chains there are based on the same codebase and run the same consensus algorithm. Right now IBC clients for EVM-enabled and other chains are being developed but it is not an easy process.
Path forward
Crypto is young and bridges are even younger, with ~1 billion dollars stolen from them in the last 6 months alone it is understandable that some people are still questioning the technology and the feasibility of a cross-chain future. However, large strides are being made towards decentralisation and security practically every day.
With the introduction of support for Bitcoin on Avalanche Bridge, the warden set got doubled (was previously 4) with some of the biggest names in the space now securing it. Besides the native bridge, there are multiple cross-chain applications (e.g., Stargate, Synapse) connecting Avalanche to Ethereum and other networks with different levels of security and trust assumptions for users to choose from. It has also been hinted multiple times that IBC-like protocol might be coming to the red chain as well, potentially allowing for trustless bridging between subnets and a better user experience (e.g., moving tokens straight in the Core wallet).
There are multiple arguments to have on which bridge design is better and everyone will always have their own preference, but at the end of the day, they are necessary to keep DeFi working, so every new connection between two chains is another step we take towards the Web3 future we all collectively long for.