According to recent media reports there have been several instances of blockchain bridges being hacked this year, including reports on August 2 that a bridge lost close to $200 million to upwards of 40 hackers who exploited a bug in its protocol, and reports in June that another bridge lost $100 million from hackers allegedly exploiting a weakness in the bridge to seize a number of different tokens, including Ethereum, Binance Coin, Tether, and Dai.
A blockchain bridge is a protocol connecting two or more different blockchains, thus allowing the blockchains to interact. Interaction can enable an exchange of information across blockchains, as well as an exchange of cryptocurrency or NFTs. In order for funds to be moved between blockchains via a bridge, the assets to be transferred are locked on one blockchain and minted on another. To achieve this, bridges often hold large stores of cryptocurrency; maintaining these large stores of liquidity has made blockchain bridges a popular target for criminals. Successful attacks on blockchain bridges have become increasingly common as cryptocurrency grows in popularity and use. According to forensics firm Elliptic, more than $1 billion was stolen from bridges in the first half of 2022.
These hacks are occurring in the wake of a Chainalysis report finding that North Korean cybercriminals had a prolific 2021, extracting nearly $400 million in digital assets through at least seven attacks on cryptocurrency platforms. These attacks targeted primarily investment firms and centralized exchanges, but highlight the issue of cybersecurity in the broader crypto community.
Consumers are also beginning to take note of the alleged lack of security on some platforms. In a first-of-its-kind class action lawsuit filed earlier this year, Sarcuni et al v. bZx DAO et al. (S. D. Cal., May 2, 2022), plaintiffs allege that a decentralized autonomous organization (DAO) failed to implement security measures that it knew were reasonably necessary to secure the decentralized finance (DeFi) protocol. The alleged negligence resulted in the theft of $55 million from user accounts. Notably, plaintiffs allege that all the DAO itself, it’s co-founders, and its members are jointly and severally liable for negligence by failing to implement adequate security. DAOs typically lack legal formation or recognition and decision-making authority is vested in all holders of the token native to the DAO (members), where the number of tokens a member possesses correlates to the number of votes that member has. In Sarcuni, plaintiffs allege that members are jointly and severally liable because, while there is no legal formation or recognition, the bZx DAO fits the definition of a partnership under the Uniform Partnership Act and is thus a general partnership among token holders.