With staking of POWR on the horizon, this article explains how our staking architecture protects against hacks such as the recent hack on the Wormhole bridge between Ethereum and Solana.
One of the most costly hacks against the Solana blockchain happened on Wednesday, February 2, 2022, when a hacker managed to transfer 80,000 wrapped ether (wETH), out of the Solana system and into the Ethereum blockchain through the Wormhole bridge – a service providing the ability to transfer funds between the different blockchains, allowing them to be redeemed for real ether (ETH) on the Ethereum chain.
During the design stage of the POWR staking architecture, we contemplated using the Wormhole bridge to enable the transfer of POWR from Ethereum to the Powerledger chain. After some deliberation, we decided against it because the Wormhole system was complex enough for us to wonder if there are possible exploits.
Instead, we opted to use a different type of bridge that is secured by Powerledger, where an event on the Ethereum side triggers a set of actions on the Powerledger chain and vice versa.
It is worth taking some time to understand the Wormhole hack, if only at a high level. It will certainly cause some to become cautious of all cross-chain bridges, which perhaps, is unfortunate. Cross-chain bridges have a role to play in a thriving blockchain ecosystem and can be safe as long as the lessons are well understood and safety measures are implemented.
At a very high level, a bridge allows the user to deposit funds on one blockchain and claim a derivative of those funds on another blockchain. It is somewhat similar to buying casino chips where the casino goer surrenders money on the “dollar chain”, and receives money on the “casino chain”. And as with casinos, it’s the case that it’s almost always the higher value, more widely accepted form of money that is surrendered. In the case of the Wormhole bridge, this is Eth, and the less accepted form of money that is received is Wrapped Eth.
The withdrawal process of course works in reverse; The user surrenders their local money, such as wrapped Eth, and gets an equal number of global money, such as Eth in return. This part of the process can be attacked for gain, and indeed this is what happened with the Wormhole hack. The attacker minted a large amount of wrapped Eth that did not have any backing. Think of it as hacking your bank account, adding a few zeros to it, and then withdrawing the entire amount in cash from an ATM. Making the zeros you typed real at that moment.
Because the Wormhole hack involved two public blockchains, it drew widespread attention and those with a flair for detective work accessed, viewed and analysed every bit of code that was executed. If you are keen to know all of the details, you can find them in this article here and a second article here.
At Powerledger, we are deploying bridge-like functionality and in light of what has occurred, we wanted to share how our bridge works and the protections we are putting in place to keep our staking mechanism secure.
There are 4 key differences that protect the POWR staking contract from the recent Wormhole type attack:
1. No minting. Staking on the Powerledger chain happens with the native token of the chain. This means there is no minting functionality that an attacker can use to increase their balance.
2. Permissioned chain. Powerledger is not a public chain, so it’s not possible for just anyone to push a transaction onto the chain. Additionally, the relayer that approves transactions on both chains is controlled by Powerledger. This makes the previous type of attack used on the Wormhole impossible. The complexity of the flaw that was exploited to pull off the Wormhole hack illustrates the sophistication of adversaries that smart contract developers must defend against. Being a permissioned chain reduces the risks of attacks by the public.
3. Withdrawal checks. Our smart contract checks the amount that was deposited and the amount of the rewards earned. It then validates the number of tokens being withdrawn, and will automatically cease functionality if a malicious withdrawal is detected.
4. Withdrawal delay. There is a 7-day delay between funds being withdrawn on the Powerledger side and the ability to claim POWR from the staking contract, in order to allow for the staker to fully undelegate their staked POWR. We leverage this window of time to stop malicious activity before funds can be withdrawn.
At Powerledger we pride ourselves in being a trusted solutions provider for our business partners. It has been imperative that we keep a close eye on the changes in technology that could affect the success and security of our own solutions. Being aware of changes in Solana and cross-chain bridges, for example, ensures that we remain agile, and track best practises for cross-chain bridging. Only by giving careful consideration into the architecture and design of a blockchain, can we place safeguards against a similar attack in the future.