Cross Chain

‘New frontier’ of crypto laundering involves cross-chain bridges and DEXs — Elliptic

Curve, Uniswap, 1inch and the Ren bridge were the top platforms of choice for laundering illicit crypto, according to Elliptic.

New research from blockchain analytics and crypto compliance firm Elliptic has revealed the extent to which cross-chain bridges and decentralized exchanges (DEXs) have removed barriers for cybercriminals.

In an Oct. 4 report titled “The state of cross-chain crime,” Elliptic researchers Eray Arda Akartuna and Thibaud Madelin took a deep dive into what they described as “the new frontier of crypto laundering.” The report summarized that the free flow of capital between crypto assets is now more unhindered due to the emergence of new technologies such as bridges and DEXs.

Cybercriminals have been using cross-chain bridges, DEXs and coin swaps to obfuscate at least $4 billion worth of illicit crypto proceeds since the beginning of 2020, it reported.

Around a third of all stolen crypto, or roughly $1.2 billion, from the incidents surveyed was swapped using decentralized exchanges.

Delving further into the details, the report noted that more than half of the illicit funds it identified were swapped directly through two DEXs, Curve and Uniswap, with the 1inch aggregator protocol coming a close third.

A similar amount of around $1.2 billion has been laundered using coin swap services that allow users to swap assets within and across different networks without having an account.

“Many are advertised on Russian cybercrime forums and cater almost exclusively to a criminal audience,” it noted.

Sanctioned entities are increasingly turning to such technologies in order to move funds and carry out cyberattacks, according to Elliptic:

“Wallets connected to groups eventually sanctioned by the United States — including those used by North Korea to perpetrate multi-million-dollar cyberattacks — have laundered more than $1.8 billion through such techniques.”

In a June report on digital asset risks, global money laundering and terrorist financing watchdog the Financial Action Task Force also identified cross-chain bridges and “chain hopping” as high risk.

Related: $2B in crypto stolen from cross-chain bridges this year: Chainalysis

The Ren bridge was mentioned as a top choice for crypto laundering with the vast majority of illicit assets, or more than $540 million, passing through it.

“Ren has become particularly popular with those seeking to launder the proceeds of theft,” it said.

One potential solution to mitigate crypto theft was proposed by Stanford researchers last month. It involves an opt-in token standard called ERC-20R that provides the option to reverse a transaction within a set time period.

Algorand upgrade boosts speed, adds trustless cross-chain communication

Algorand has increased its transaction speed, processing capacity and cross-chain functionality with a major upgrade.

Pure proof-of-stake (PPoS) blockchain Algorand has introduced cross-chain communication and transaction speed improvements with the latest upgrade to its protocol.

The layer-1 blockchain network announced the implementation of State Proofs to its mainnet, which introduces trustless communication between different blockchain protocols. The upgrade also increased Algorand’s processing speed from 1,200 to 6,000 transactions per second.

The upgrade also includes the provision of new tools for developers as well as on-chain randomness capabilities for decentralized applications (DApps) running on Algorand. On-chain randomness is a key feature of Algorand’s PPoS consensus, in which network validators are chosen at random despite the respective amount of staked Algorand (ALGO) tokens.

As Algorand unpacked in a recent Medium post, State Proofs are cryptographic proofs of Algorand’s state that allows DApps on other blockchains to trustlessly verify Algorand transactions. The upgrade also increased the block size to 5 MB and a “sub-4-second block latency and finality.”

The introduction of State Proofs allows Algorand to securely connect to different blockchain networks without using an intermediary. Cross-chain interoperability and connectivity have mainly been powered by cross-chain bridges and validator networks, which have been subject to high-level exploits in recent times.

Algorand touts its quantum-secure, trustless State Proofs as a solution to the centralized nature of storage points in existing cross-chain service providers and platforms. Exploits of cross-chain bridges have resulted in the loss of more than $2 billion in 2022 alone.

Paul Riegle, chief product officer at Algorand, highlighted the upgrade as a significant step in facilitating the growth of Web3 platforms running on its network:

“From State Proofs, which are a game-changing blockchain interoperability security feature, to increased TPS, we are unlocking the tools required for Web3 applications to fulfill their vast potential.”

Algorand’s upgrade is timely considering that Ethereum is on the cusp of its transition from proof-of-work to proof-of-stake (PoS) consensus, with the Merge set to take place in the next couple of weeks. Ethereum’s move to PoS is set to drastically improve the scalability and efficiency of the network while reducing its carbon footprint.

Algorand is the brainchild of MIT professor Silvio Micali, who founded the PPoS blockchain to address what is known as the “blockchain trilemma.” The trilemma suggests that no blockchain can be simultaneously decentralized, scalable and secure.

Cross-chains in the crosshairs: Hacks call for better defense mechanisms

Cryptocurrency security firms, decentralized finance and cross-chain platforms are stressing the importance of improved defense mechanisms after a spate of hacks and exploits targeting the ecosystem.

2022 has been a lucrative year for hackers preying on the nascent Web3 and decentralized finance (DeFi) spaces, with more than $2 billion worth of cryptocurrency fleeced in several high-profile hacks to date. Cross-chain protocols have been particularly hard hit, with Axie Infinity’s $650 million Ronin Bridge hack accounting for a significant portion of stolen funds this year.

The pillaging continued into the second half of 2022 as cross-chain platform Nomad saw $190 million drained from wallets. The Solana ecosystem was the next target, with hackers gaining access to the private keys of some 8000 wallets that resulted in $5 million worth of Solana (SOL) and Solana Program Library (SPL) tokens being pilfered.

deBridge Finance managed to sidestep an attempted phishing attack on Monday, Aug. 8, unpacking the methods used by what the firm suspects are a wide-ranging attack vector used by North Korean Lazarus Group hackers. Just a few days later, Curve Finance suffered an exploit that saw hackers reroute users to a counterfeit webpage that resulted in the theft of $600,000 worth of USD Coin (USDC).

Multiple points of failure

The team at deBridge Finance offered some pertinent insights into the prevalence of these attacks in correspondence with Cointelegraph, given that a number of their team members previously worked for a prominent anti-virus company.

Co-founder Alex Smirnov highlighted the driving factor behind the targeting of cross-chain protocols, given their role as liquidity aggregators that fulfill cross-chain value transfer requests. Most of these protocols look to aggregate as much liquidity as possible through liquidity mining and other incentives, which has inevitably become a honey-pot for nefarious actors:

“By locking a large amount of liquidity and inadvertently providing a diverse set of available attack methods, bridges are making themselves a target for hackers.”

Smirnov added that bridging protocols are middleware that relies on the security models of all the supported blockchains from which they aggregate, which drastically increases the potential attack surface. This alsmakes it possible to perform an attack in one chain to draw liquidity from others.

Related: Is there a secure future for cross-chain bridges? 

Smirnov added that the Web3 and cross-chain space is in a period of nascence, with an iterative process of development seeing teams learn from others’ mistakes. Drawing parallels to the first two years in the DeFi space where exploits were rife, the deBridge co-founder conceded that this was a natural teething process:

“The cross-chain space is extremely young even within the context of Web3, so we’re seeing this same process play out. Cross-chain has tremendous potential and it is inevitable that more capital flows in, and hackers allocate more time and resources to finding attack vectors.”

The Curve Finance DNS hijacking incident also illustrates the variety of attack methods available to nefarious actors. Bitfinex chief technology officer Paolo Ardoino told Cointelegraph the industry needs to be on guard against all security threats:

“This attack demonstrates once again that the ingenuity of hackers presents a near and ever-present danger to our industry. The fact that a hacker is able to change the DNS entry for the protocol, forwarding users to a fake clone and approving a malicious contract says a lot for the vigilance that must be exercised.”

Stemming the tide

With exploits becoming rife, projects will no doubt be considering ways to mitigate these risks. The answer is far from clear-cut, given the array of avenues attackers have at their disposal. Smirnov likes to use a “swiss cheese model” when conceptualizing the security of bridging protocols, with the only way to execute an attack is if a number of “holes” momentarily line up.

“In order to make the level of risk negligible, the size of the hole on each layer should be aimed to be as minimal as possible, and the number of layers should be maximized.”

Again this is a complicated task, given the moving parts involved in cross-chain platforms. Building reliable multilevel security models requires understanding the diversity of risks associated with cross-chain protocols and the risks of supported chains.

The chief threats include vulnerabilities with the consensus algorithm and codebase of supported chains, 51% attacks and blockchain reorganizations. Risks to the validation layers could include the collusion of validators and compromised infrastructure.

Software development risks are also another consideration with vulnerabilities or bugs in smart contracts and bridge validation nodes key areas of concern. Lastly, deBridge notes protocol management risks such as compromised protocol authority keys as another security consideration.

“All these risks are quickly compounded. Projects should take a multi-faceted approach, and in addition to security audits and bug bounty campaigns, lay various security measures and validations into the protocol design itself.”

Social engineering, more commonly referred to as phishing attacks, is another point to consider. While the deBridge team managed to thwart this type of attack, it still remains one of the most prevalent threats to the wider ecosystem. Education and strict internal security policies are vital to avoid falling prey to these cunning attempts to steal credentials and hijack systems.

Aave devs propose freezing Fantom integration, citing lack of traction and potential vulnerability

The Fantom market on Aave v3 adds just $30 each day to the DeFi protocol’s treasury; developers are also concerned that the integration creates security risks.

On Tuesday, Marc Zeller, integration lead at decentralized finance (DeFi) borrowing and lending protocol Aave, proposed to freeze the platform’s v3 Fantom market. Created in 2018, Fantom is a directed acrylic graph smart contract platform that provides DeFi services and on which Aave is currently bridged. 

Zeller explained the rationale for removing the Fantom bridge:

“After the Harmony bridge event and the recent Nomad bridge exploit, the Aave community should consider the risk/benefits of keeping an active Aave V3 market on Fantom as this network is dependent on any swap (multichain) bridge.”

Zeller further explained that the Aave v3 Fantom market did not gain noticeable traction, with a current market size of $9 million and $2.4 million of open borrowing. In comparison, the Aave protocol has a total value locked of $3.48 billion. Meanwhile, the Fantom market on Aave only generates approximately $300 per day for the borrowing-lending protocol, of which $30 goes to the Aave Treasury.

If passed, the Aave Improvement Protocol would allow users to repay their debts and withdraw but block further deposits and borrowings in this market. After five days, a community vote will be held to determine the future of Aave v3 Fantom. The Aave team wrote:

“The risk of exposing users to potentially losing millions of $ due to causes exterior to intrinsic Aave security is considered not worth the $30 of daily fees accrued by the Aave treasury.”

Related: Backlash as Harmony proposes minting 4.97B tokens to reimburse victims

Multichain bridging, while praised by some as a pinnacle of interchain communications, has been criticized by skeptics such as Vitalik Buterin for its supposed fragility. Earlier on Tuesday, the Nomad token bridge was drained for $190 million after hackers discovered a single code exploit that anyone could replicate, leading to a “decentralized robbery” as other users joined in on the initial hacker’s siphoning of funds. 

After publication, Simone Pomposi, Fantom’s chief marketing officer reached out to Cointelegraph, claiming: 

“The Aave governance proposal has been framed as to prevent a potential bridging problem; however, the actual reason behind the proposal seems to be that Aave is not capturing enough market share on the Fantom network to justify the risk. Proposing to remove access to a decentralized app because the business model is faulty/unprofitable makes sense, but blaming it on hypotheticals [related to cross-chain bridges] isn’t fair.”

Aurora pays $6M bug bounty to ethical security hacker through Immunefi

Over $200 million worth of users’ funds could have been at risk if the whitehat had chosen to exploit the vulnerability for personal gain instead of reporting it to developers.

On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with more than $145 million bounties available and over $45 million bounties paid out.

On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH in the Aurora Ethereum Virtual Machine to drain and siphon the corresponding nested ETH (nETH) pool on NEAR. At the time of discovery, the pool contained more than 70,000 ETH, worth at least $200 million.

Mitchell Amador, founder and CEO at Immunefi, said: “Hats off to Aurora and pwning.eth for the flawless overall processing of the report. The bug was quickly patched, with no user funds lost.” Aurora had launched a bug bounty program with Immunefi just one week before discovering the security vulnerability. Meanwhile, Frank Braun, head of security at Aurora Labs, commented: “We look at the bug bounty program as the last step in a layered defense approach and will use this bug as a learning opportunity to improve earlier steps, like internal reviews and external audits.

Though arguably innovative, cross-chain communication protocols have been a prime target of hackers as of late. In February, one of the largest decentralized finance hacks occurred when the Wormhole token bridge was drained of over $321 million in digital assets after hackers exploited an infinite minting glitch between its wrapped ETH and ETH pool.