Lessons from a $300M Hack | NFT News

Zerion is Mission Control for Web3. Trade tokens, transfer across chains, and display NFTs.

Connect & trade across networks

Dear Bankless Nation,

Earlier this week, Solana’s Wormhole bridge was compromised for a total of 120k ETH.

With a dollar value exceeding $300 million, the Wormhole hack is the second largest smart contract hack in history, trailing only the $600M Poly Network hack of 2021.

Both of these attacks targeted cross-chain bridges.

It’s now a pattern: Bridges are high-value targets for attackers, meaning that bridge security is more important than ever.

So we’ve reached out to the Optimism team to help us reason about the lessons we’ve learned from this last week.

Shout out to Kelvin and the Optimism team for their help with this!

Lesson 1: Simplicity is security

Use simple bridges!

Complicated code is a red flag for bridges. Every additional line of code is an additional security risk to the bridge.

Core bridge logic should contain only the bare minimum logic required to make the bridge work—any additional code compounds the risk.

Lesson 2: Rollup bridges are better

Cross-chain bridges have more moving parts than rollup bridges.

While this particular exploit did not involve the nature of cross-chain vs. L2 bridges, it did invoke a conversation about risk-surface-area with cross-chain bridges.

Measuring security is hard, so people generally defer to the Lindy effect as a proxy:

The problem with cross-chain bridges is that the extra complexity is a limit on its ability to generate Lindy.

Every additional risk vector reduces the strength that time plays in the ability to access security.

Bridges with minimized lines and minimized external dependencies achieve maximum Lindy.

Lesson 3: We cannot rely on bailouts

Solana’s ecosystem is extremely lucky that Jump Capital was able and willing to bail out $300m of missing ETH. It’s fantastic that people are being made whole, and no material damage is happening to the Solana ecosystem.

And yet…

It’s dangerous to set a precedent that big bridge hacks will be covered by the nearest VC. One day, there will be billions of dollars in bridges. One day, bridges will be far more decentralized and there won’t be anyone to foot the bill.

One day, the bailout won’t come.

Lesson 4: Incentivize Whitehats

Our bridge builders should recruit white hat hackers.

🧠 A Whitehat hacker is an ethical security hacker.

Run a bug bounty

Every bridge project should be running a bug bounty program. Modern crypto bounty programs typically offer maximum payouts of $1-2M.

Payouts this big might sound like a lot, but they’ll be paying much more if their bridge gets hacked (Wormhole offered the attacker a retroactive bounty of $10M).

Make your code accessible

If your bridge builders make it difficult to review and digest code, then Whitehat hackers are much less likely to put in the work to do so. Blackhats are significantly more motivated to shovel through piles of spaghetti code than whitehats will ever be.

This is why published and verified code is so important to the ecosystem—the more eyes, the better.

Lesson 5: There’s going to be more

Whether you believe we’re going to a Cross-L1 or a multi-L2 world, we will live in a world of bridges.

Bridges are honeypots. If they can be exploited, they will be exploited. While the $300M Wormhole hack is terrible, at least it started the conversation around bridge security and tradeoffs.

Hopefully, these lessons serve you well after a crazy week.

Here’s what’s lined up for the next one:

• The founders of Solana, Avalanche, and Luna are coming on a panel 👀

• Kyla talks memes and markets on the podcast

• We’re going to leak the best yields on Layer 2

Have a great weekend.

– David

P.S. Bankless Badges are being sent out slowly over the next week! Keep an eye out for an email from lucas@banklesshq.com.

🙏 Sponsor: Polymarket—Bet on your Beliefs & Harness the Power of Free Markets

Recap for the week of January 31st, 2022

🎙️ WEEKLY PODCAST EPISODE

🎙️ Listen to podcast episode | Apple | Spotify | YouTube | RSS Feed

Tune in to the exclusive debrief episode. Need access? Join the Bankless Nation

ACTION RECAP 📚

1. 📘 Execute any good market opportunities you saw in Market Monday

2. 📘 Take a governance bribe with CVX

3. 📘 Prepare for Layer 2 tokens 🔥

4. 📘 Front-run the next big trend in NFTs

5. 📘 Share whether or not you’ve been affected by a crypto hack or scam

WATCH & LISTEN 🔊

1. 🎙️ Listen Blockchains and Cities | Haseeb Qureshi

2. 📺 Watch Layer Zero: Boys Club

3. 📺 Watch Why ETH is going to $3T | Ryan Allis

4. 📺 Watch Rollup: Wormhole | Wonderland | Bieber Bored Ape| Gamestop

METAVERSAL 🧙‍♂️

1. 📘 Read NFTs: No for real, though

2. 📘 Read Bridging the L1-L2 NFT Divide

3. 📘 Read Why Ethereum dominates NFTs

4. 📺 Watch Overpriced Jpegs: SAND, MANA, Rug Radio, Creepze

5. 🎙️ Listen How to build a bluechip NFT brand | Doodles Co-Founder

BANKLESS DAO 🏴

1. 📘 Read Market Crashes and Crypto Regulation | Decentralized Law

2. 📘 Read Uffizi Gallery Explores Masterpieces as NFTs | Decentralized Art

Weekly Subscriber Perks 🔥

Bankless Premium Members get access to perks like these:

Launch your own raffle for Bankless Badge holders! Go ahead. We can’t stop you.

Get Bankless Badge

🎙️ STATE OF THE NATION

Listen to podcast episode | iTunes | Spotify | YouTube | RSS Feed

We’re now live streaming State of the Nation—join us at 2pm EST every Tuesday!

🎙️ NEW ROLLUP

Listen to podcast episode | Apple | Spotify | YouTube | RSS Feed

Jobs opportunities 🧑‍💼

✨ See all listings on the Bankless Job Board✨

1. MomentRanks is hiring a Senior Product Engineer

2. dYdX is hiring a Community Manager (Contractor)

3. dYdX is hiring a Governance Growth Lead

4. dYdX is hiring a Business Operations & Finance Associate

5. dYdX is hiring a Marketing Associate

6. SmartDeFi is hiring an Accountant

7. GoldFinch is hiring a Web3 Engineer (Solidity & React)

8. Syndica is hiring a Senior Engineer (Go & Rust)

9. StarX is hiring a Smart Contract Tech Lead

Go Bankless. $22 / mo. Includes archive access, Inner Circle & Badge—(pay w/ crypto)

🙏Thanks to our sponsor

👉 Use code “bankless” to get up to $100 reimbursed on your first day of trading!

Polymarket may not be available in all jurisdictions

Polymarket is an information markets platform that lets you trade on the world’s most highly-debated topics. On Polymarket, build a portfolio based on your forecasts and earn a return if you are right.

When you buy shares in a market, you are weighing in with your own knowledge, research, and view on the future. Market prices reflect what traders think are the odds of events happening, turning trading activity into actionable insights that help people better plan for their future.

Tag Bankless on twitter and tell us how you’re going bankless for 3 x 🔥

Bankless Badges are going out! Keep an eye out for yours in your inbox.

Want to get featured on Bankless? Send your article to submissions@banklesshq.com

Write for Bankless

Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.

Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. Additionally, the Bankless writers hold crypto assets. See our investment disclosures here.