Bridge Hacked Again - The Call For Change

cryptonews.com:

Disclaimer: The text below is a press release that was not written by Cryptonews.com. 

Axie Infinity’s Ronin bridge and Katana Dex have been halted after suffering an exploit for 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC), worth a combined USD 612 million at current prices by a hack attack. As told by Ronin developers, the attacker utilized hacked private keys to forge fake withdrawals, draining the funds from the Ronin bridge in just two transactions.

Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO. The validator key scheme is set up to be decentralized to limit attack vectors that is similar to this one, but the attacker found a backdoor through the gas-free RPC node, which they abused to get the signature of the Axie DAO validator.

Ronin bridge’s underlying technology is MPC(Multi-Party Computation) and there are many cross-chain bridges using this technology. Almost all cross-chain bridges existed in the market are a kind of third-party custodial bridge that is governed by an MPC or multi-sig (multi-signature) wallet.

Bridges based on MPC architecture are extremely vulnerable when facing security issues. Honestly, they are just too centralized. Although MPC is based on multi-sig, it is yet controlled by a small circle of people designated by the project. The custody and contract of users’ cross-chain asset contracts are more similar to the management of centralized cold wallets. This same approach has been adopted by CEXs. Obviously, existing cross-chain bridges