Lessons from a $300M Hack
5 lessons you need to know from this week's Wormhole exploit
Zerion is Mission Control for Web3. Trade tokens, transfer across chains, and display NFTs.
Dear Bankless Nation,
Earlier this week, Solana’s Wormhole bridge was compromised for a total of 120k ETH.
With a dollar value exceeding $300 million, the Wormhole hack is the second largest smart contract hack in history, trailing only the $600M Poly Network hack of 2021.
Both of these attacks targeted cross-chain bridges.
It’s now a pattern: Bridges are high-value targets for attackers, meaning that bridge security is more important than ever.
So we’ve reached out to the Optimism team to help us reason about the lessons we’ve learned from this last week.
Shout out to Kelvin and the Optimism team for their help with this!
Lesson 1: Simplicity is security
Use simple bridges!
Complicated code is a red flag for bridges. Every additional line of code is an additional security risk to the bridge.
Core bridge logic should contain only the bare minimum logic required to make the bridge work—any additional code compounds the risk.
Lesson 2: Rollup bridges are better
Cross-chain bridges have more moving parts than rollup bridges.
While this particular exploit did not involve the nature of cross-chain vs. L2 bridges, it did invoke a conversation about risk-surface-area with cross-chain bridges.
Measuring security is hard, so people generally defer to the Lindy effect as a proxy:
The problem with cross-chain bridges is that the extra complexity is a limit on its ability to generate Lindy.
Every additional risk vector reduces the strength that time plays in the ability to access security.
Bridges with minimized lines and minimized external dependencies achieve maximum Lindy.
Lesson 3: We cannot rely on bailouts
Solana’s ecosystem is extremely lucky that Jump Capital was able and willing to bail out $300m of missing ETH. It’s fantastic that people are being made whole, and no material damage is happening to the Solana ecosystem.
It’s dangerous to set a precedent that big bridge hacks will be covered by the nearest VC. One day, there will be billions of dollars in bridges. One day, bridges will be far more decentralized and there won’t be anyone to foot the bill.
One day, the bailout won’t come.
Lesson 4: Incentivize Whitehats
Our bridge builders should recruit white hat hackers.
🧠 A Whitehat hacker is an ethical security hacker.
Run a bug bounty
Every bridge project should be running a bug bounty program. Modern crypto bounty programs typically offer maximum payouts of $1-2M.
Payouts this big might sound like a lot, but they’ll be paying much more if their bridge gets hacked (Wormhole offered the attacker a retroactive bounty of $10M).
Make your code accessible
If your bridge builders make it difficult to review and digest code, then Whitehat hackers are much less likely to put in the work to do so. Blackhats are significantly more motivated to shovel through piles of spaghetti code than whitehats will ever be.
This is why published and verified code is so important to the ecosystem—the more eyes, the better.
Lesson 5: There’s going to be more
Whether you believe we’re going to a Cross-L1 or a multi-L2 world, we will live in a world of bridges.
Bridges are honeypots. If they can be exploited, they will be exploited. While the $300M Wormhole hack is terrible, at least it started the conversation around bridge security and tradeoffs.
Hopefully, these lessons serve you well after a crazy week.
Here’s what’s lined up for the next one:
The founders of Solana, Avalanche, and Luna are coming on a panel 👀
We’re going to leak the best yields on Layer 2
Have a great weekend.
P.S. Bankless Badges are being sent out slowly over the next week! Keep an eye out for an email from firstname.lastname@example.org.
🙏 Sponsor: Polymarket—Bet on your Beliefs & Harness the Power of Free Markets
Recap for the week of January 31st, 2022
🎙️ WEEKLY PODCAST EPISODE
ACTION RECAP 📚
📘 Take a governance bribe with CVX
📘 Prepare for Layer 2 tokens 🔥
📘 Front-run the next big trend in NFTs
WATCH & LISTEN 🔊
🎙️ Listen Blockchains and Cities | Haseeb Qureshi
📺 Watch Layer Zero: Boys Club
📘 Read NFTs: No for real, though
📘 Read Why Ethereum dominates NFTs
BANKLESS DAO 🏴
Weekly Subscriber Perks 🔥
Bankless Premium Members get access to perks like these:
Full Access: Crypto Down, NFTs Up
Exclusive: Debrief—Blockchains are cities
Early Access: Why Everything is Weird
Launch your own raffle for Bankless Badge holders! Go ahead. We can’t stop you.
We’re now live streaming State of the Nation—join us at 2pm EST every Tuesday!
🎙️ NEW ROLLUP
Jobs opportunities 🧑💼
✨ See all listings on the Bankless Job Board✨
🙏Thanks to our sponsor
Polymarket may not be available in all jurisdictions
Polymarket is an information markets platform that lets you trade on the world’s most highly-debated topics. On Polymarket, build a portfolio based on your forecasts and earn a return if you are right.
When you buy shares in a market, you are weighing in with your own knowledge, research, and view on the future. Market prices reflect what traders think are the odds of events happening, turning trading activity into actionable insights that help people better plan for their future.
Tag Bankless on twitter and tell us how you’re going bankless for 3 x 🔥
Bankless Badges are going out! Keep an eye out for yours in your inbox.
Want to get featured on Bankless? Send your article to email@example.com
Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.
Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. Additionally, the Bankless writers hold crypto assets. See our investment disclosures here.