Wormhole Exploit Underlines Case For Greater MPC Use Across Blockchain Oracles & Bridges

756
Wormhole Exploit Underlines Case For Greater MPC Use Across Blockchain Oracles & Bridges
Advertisement
   

Decentralized finance (DeFi) might have emerged as an exciting category in the blockchain ecosystem, but its still-nascent state has left many participants exposed to the accompanying risks of this more democratized financial services iteration. 

The latest exploit of Wormhole, a blockchain bridge between Solana and Ethereum, underscores the flaws that continue to crop up and impact DeFi users. For context, the hack of  $325 million was effectively the result of flawed logic in the bridge’s programming set for an update.

Ordinarily, a transaction flowing through Wormhole to Solana requires a valid transaction signature and guardian (approved validation node). If these two conditions are met, transaction requests are approved. In the event of an invalid transaction signature and valid guardian, the necessary conditions for initiating a transaction aren’t fulfilled, leading Solana to deny this request. However, instead of presenting invalid conditions where there was an invalid transaction signature and valid guardian, the hacker used an invalid signature and a non-guardian, effectively creating two unapproved conditions. 

Because two valid conditions are needed to form a “match” to accept the transaction requests, and two invalid conditions could also be viewed as a “match” within the system’s existing logic, it allowed the hacker to mint wrapped Ethereum (wETH) on Solana. Without having to deposit 120,000 ETH into what functions as an escrow account, the hacker minted 120,000 wETH, which was then exchanged, tricking Wormhole into unlocking ordinary Ethereum that collateralized other wETH on Solana.

Although the Wormhole team has since closed the flaw, it is unclear how they intend to recapitalize the funds stolen from the bridge despite announcing efforts to that effect. While they’ve made bounty overtures to the hacker, the non-response has been deafening. Still, this hack highlights the significant vulnerabilities within the critical interoperability infrastructures that connect DeFi, and more importantly, those that allow blockchains to communicate.

Advertisement  

Can Multi-Party Computation Mean Safer Interoperability?

Interoperability, or in this context, the ability to connect disconnected blockchains and ecosystems, is the glue that holds decentralized finance together via a spread of bridges, oracles, and more. However, interoperability can also mean vulnerability, as was the case with Wormhole, especially when interoperability is responsible for overseeing the secure exchange of value between two systems.

The idea of requiring multiple parties or proofs (like signatures) to approve certain transactions is no stranger to blockchain technology but a rather common feature of certain eWallets. The idea of distributing signature power to multiple parties diminishes the risk of a single point of failure. 

For mutlisig wallets, this means deciding who the co-signers will be and how many co-signers must sign a transaction. The problem with this model is changing co-signers and permissions, not to mention that multiple signatures need to be presented simultaneously, resulting in availability demands from co-signers for every transaction.

Multi-party computation (MPC) can help avoid these complications, but its application stretches well beyond wallets and key verification. MPC uses completely modifiable endpoints containing a portion of the secret keys but not their entirety. Together, these endpoints are used to form a consensus, and a minimum number of endpoints are set to reach this consensus on a transaction.

Kurt Nielsen, the President and Co-founder of Partisia blockchain, believes that MPC holds the key to unlocking the true potential of interoperability in a more secure, trustworthy framework. Nielsen notes, “Interoperability via token bridges exhibits immense potential to become a main value creator in the blockchain ecosystem. However, as we saw in the Wormhole exploit, moving tokens outside of their established security model poses significant challenges and vulnerabilities. Our answer is more sophisticated, proven audit principles and large scale MPC security measures.”

He further explains, “First, a regularly expiring Oracle effectively and transparently represents the values across the different blockchains like the double-entry bookkeeping that has proven its worth since the Medici Bank in the 14th century. Second, large-scale MPC security measures avoid the accumulation of financial risk across Oracles or epochs. Third, the nodes operating the Oracle in a given epoch provide collateral to back the transferred values, and finally, objective imbalances are compensated through a decentralized dispute process.”

Partisia has been involved in commercial-grade MPC solutions since 2008 and now is applying its acumen to blockchain-based applications. Partisia Blockchain effectively acts as an interoperability layer using Zero-Knowledge proof computations. With nodes being rated and ranked according to their trust score, DeFi users can gain greater trust in how and who is moving their value between ecosystems.

Although the largest such incident in 2022 thus far, Wormhole will likely be far from the only DeFi protocol, bridge, or blockchain targeted by hackers as the year progresses. Nevertheless, as Partisia shows, MPC stands out as one strategy for fostering communication between networks that oversee data or value transfer without knowing exactly what is being transferred by who and to where.