What Are Cross-Chain Transactions and Why Are They Being Hacked?

Blockchain, WadsPay, Algorand

With the cross-chain payments bridge of top global exchange Binance’s BNB Chain blockchain the victim of a $570 million cryptocurrency hack — the latest in a series of mega-thefts that had already seen more than $2 billion stolen — it’s worth taking a look at what the cross-chain transactions these bridges facilitate actually are and why they are so vulnerable.

As cryptocurrencies grow from being simple speculative investments into tokens with an actual utility like paying for a digital good or service offered on a blockchain platform, there are few problems to solve that are more important than cross-chain transactions.

See also: The $100M Hack and Crypto’s Cross-Chain Payments Problem

That’s because if crypto is to become a currency of commerce, people need to be able do business outside the silo of a single blockchain. A good way to think of it is the crypto version of fiat foreign exchange (FX) — the need to be able to do business across borders.

In the cryptocurrency world right now, the main way to do that is the equivalent of asking the manager to go down to the Travelex kiosk, trade dollars for pesos, and send those pesos to a supplier in Mexico — paying a hefty transaction fee — and doing it in reverse if you receive payments from there.

Bridging Borders

Instead of that, in crypto people use cross-chain bridges, which have proven very vulnerable.

In the case of BNB Chain, the Binance Bridge is largely used by people who want to invest in decentralized finance (DeFi) schemes using the BNB cryptocurrency the exchange created when it launched the blockchain. BNB Chain is the fifth-largest blockchain by market capitalization, with $45.6 billion extent.

Read more: What Is BNB Chain and Why Isn’t It Binance Anymore?

So, someone who has bitcoin (BTC) but wants to invest in a BNB staking DeFi project could go to an exchange, sell BTC for BNB or possibly sell BTC for a stablecoin, then use that to buy BNB — spending time and paying fees for one or even two transactions.

Or they can use the Binance Bridge.

Bridges are ways to make transactions on cryptocurrency projects built on other blockchains. The way they work is fairly straightforward. Someone who wants to use a BNB Chain project needs BNB tokens. So, they go to the Binance Bridge and put up collateral in the form of, for example, ether (ETH) tokens.

The bridge locks in that ETH and then mints new tokens called wrapped BNB (wBNB) that can be used just like regular BNB tokens. But they can also be traded in for the ETH that was locked in Binance Bridge, which then burns — destroys — that wBNB and returns the ETH, minus a fee that is less than an exchange transaction would be.

Too Weak

There are three problems with bridges that have made them the top target of hackers.

First, they are effectively hot wallets, meaning the crypto locked into the bridge is always online and thus reachable by hackers. Most exchanges take the vast majority of the crypto in their users’ accounts and lock it away in cold wallets — basically hard drives — that are not connected to the internet and thus cannot be hacked.

See also: What’s a Crypto Wallet and How You Can Avoid Losing a Quarter Billion Dollars?

In bridges, the funds locked in are always hot and thus vulnerable.

Second, bridges have two sides, meaning hackers can come in through the end that accepts crypto to mint wBNB, or by the side that collects that wBNB and returns users’ locked cryptocurrencies. Simply put, they are more vulnerable because there are more ways for hackers to sneak in.

Third, many have proven to be poorly or hastily built and often untested by security companies and can be run as DeFi projects controlled by smart contract managed governing decentralized autonomous organizations (DAOs) that can put code upgrades into place without proper testing. While this is unlikely to have been the case for Binance Bridge, it has been an exploitable weakness in the past.

In the case of BNB Chain, the exchange was able to contact the controlling validator who runs the proof-of-stake blockchain and get them to halt it briefly, which is why the thieves were only able to make off with $100 million.

For all PYMNTS crypto coverage, subscribe to the daily Crypto Newsletter.