The bridge theft attack and a possible mitigation

Most existing blockchains rely on a key security assumption: if the validators (or miners) were to corrupt the system enough to steal a lot of money, the money they stole would become worthless, since trust in the system would be destroyed. For example, if a 2/3rds majority of token holders on the Cosmos Hub gave themselves all the Atoms of the other 1/3rd, Atoms would soon become worthless since everyone would know that the system was not to be trusted.

This assumption breaks down when we consider a chain which has more money locked in a bridge than its staking tokens are worth. For example:

The bridge

The Hotdog Zone is used to buy and sell hot dogs. It has a staking token, HotDogCoin which serves the same purpose that Atoms do on the Cosmos Hub. But hot dog customers do not want to use some kind of weird hot dog coin. They want to use a stablecoin which has an equivalent value to the dollar. Luckily, there’s another zone, the Dai Zone, which has such a stablecoin. So the Hot Dog Zone can use a bridge (IBC) to bring Dai stablecoin over into the Hot Dog Zone where people can spend it on hot dogs.

This bridge consists a module on the Dai Zone which locks up Dai. When you send the this code some Dai, it gets locked up, and a token representing Dai gets minted on the Hot Dog Zone. We’ll call it Hot Dog Dai. You can send someone some Hot Dog Dai on the Hot Dog Zone to buy a hot dog from them. When they want to move the Dai back over to the Dai Zone, they send it to a module on the Hot Dog Zone which destroys the Hot Dog Dai, while releasing some of the Dai on the Dai Zone.

The attack

This is all well and good, but what happens if an attacker gets more than 2/3rds of the HotDogCoin staking token? They can now upgrade the protocol to add a transaction that transfers all of the Hot Dog Dai to themselves (a totally valid state transition by the way!), and use this to take all the Dai in the bridge module on the Dai Zone.

When this happens, HotDogCoin will become worthless since the chain is compromised, but if there is more Dai in the bridge than the attacker spent to buy enough HotDogCoin to carry out the attack, this is worth it.

The situation that a zone secures more value than it staking token’s market cap will be very common in a mature, realistic market. Many businesses handle much more money than their market cap. This is especially true for marketplaces, payment processors, and other types of industries that are well suited to the use of a blockchain.

The mitigation

The key to mitigating this attack is to create a situation where the theft of the asset in the bridge will make that asset worthless, to bring back the time-tested security assumption mentioned at the beginning of this post. One easy way to do this is to make sure that both zones share the same validator set.

In the example above, Hot Dog Zone could only accept validators that are also validating on Dai Zone. Now, if an attacker buys up enough HotDogCoin tokens to try to rob the bridge, they will need get their changes past the Dai Zone validators. If the Dai Zone validators allow this attack to proceed, the Dai Zone stablecoin will become worthless since its validators are unquestionably compromised.

@zaki any thoughts?

1 Like

One problem could be that not all the Dai Zone validators would want to validate the Hot Dog Zone. Then the Hot Dog Zone would have to make do with <100 validators.

The shared security design that @zaki and I are working on involves sharing the same validator sets, but gets rid of the HotDogToken altogether (at least as a staking token, it can still be doing something else like governance or fees or whatever). Basically HotDogChain can ask the Cosmos Hub validator set to also validate it’s chain. Some of the validators on the Hub can choose to do so, and if they fault on HotDogChain, their Atoms on the Hub also get slashed.

HotDogCoin needs to be a staking token for the Hot Dog Zone. If it’s not, then governance votes to upgrade software on the Hot Dog Zone are meaningless since token holders don’t have any control over the validators anyway.

If the validator set from the other zone in question is used as a whitelist, then if a validator does not cooperate with a governance vote, the token holders can undelegate from them. This will reduce the number of validators validating on the Hot Dog Zone, but preserves the power of governance votes as a signaling method.

I think the important part is that the participation of the validators of the Hot Dog Zone in any scheme which would be considered by society to be “theft from the bridge” would also put the value of the asset in the bridge under question. To me, it seems that the best way to do this is to have the validator set of the asset’s native zone make up the whitelist.

However, the Cosmos Hub validator set is a very good Schelling point for zones that want to have direct bridges to several other zones to use. It has the added benefit that it takes a lot of money to get onto this set, so it makes any attack more difficult to execute.

I’m not familiar with Tendermint slashing conditions, or whatever you are calling a “fault” here, but I don’t think that its possible to rigorously define all the state transitions that would be considered stealing from the bridge.

For example an attacker could buy up 2/3rds of the HotDogCoin, then use a governance proposal to implement a very radical demurrage scheme which quickly transfers most of the Hot Dog Dai to the Hot Dog Zone’s community pool, then grant all the Hot Dog Dai to an address controlled by the attacker for “protocol improvements”.

Easy to say after the fact that this was theft, but it is made up of 100% legitimate state transitions.

Does this differ from or is it similar to https://github.com/cosmos/ics/issues/76 (by @mossid)?

One soft mitigation against this kind of attack is for Hot Dog Dai to demur over time, paying to the HotDogCoin holders. This way, the value of HotDogCoin is proportional to the amount of Dai moved into the Hot Dog Zone. This isn’t a guarantee by any means, but the cost of getting 2/3 stake would increase as the “bounty” of Hot Dog Dai to steal grows.

If the 2/3 attacker isn’t a single actor but many colluding validators, slashing on evidence of a signed unexpected transaction for the reserves contributes to security as well. If an attacker proposes a malicious transaction, along with their signature, it becomes sort of like a Prisoner’s Dilemma, where if any one of the would-be attackers reports the partial transaction, the attackers get slashed.

If validators are not shared and amount in bridge is greater than say 1/2 of market cap of staking token then there should be a global settlement prior to any governance change implementation. I’m not sure if this would cover all cases but seems to solve some of the examples.

1 Like

Governance changes could also involve the vote of those who have money in the bridge somehow.

1 Like

You could be given option of settlement upon any governance change.

This sounds good.

Can there be a 50% or xx% hard limit for bridge transactions? Although, It would block any further bridge transactions until the % goes below the hard limit. That would be detrimental to the user experience.

1 Like