According to updated post the hack is socially engineered, rather than a technical flaw (The Ronin bridge has been exploited for 173,600 Ethereum and 25.5M USDC). Wait a minute, decentralized protocols must handle any kind of attacks.
Cybersecurity is not only a technical concept, it has many aspects, including the architectural level, economical, social, etc.
Bridge is a weak point of decentralized internet. Decentralized bridge is a yet another special purpose decentralized network (consensus protocol) with purpose to move assets between networks. If number of nodes are very small say hello to 51% attack.
Solutions
Simple and universal solutions above all — limits and temporary locks. For a small amount of money — low limits, for big money — higher limits (amount in one transaction, amount from/to one address, time lock, etc.). Limits usage is a normal practice in fintech.
Any bridge protocol should include smart contracts at both ends to lock moving assets for a time enough for check, don’t use direct transfer.
Proof of authority (POA)
Decentralized network with small number of nodes (bridge one of such networks) can be effectively deployed as a network of known authorities, nodes on tech level. Each node holds pretty big amount of money in a special smart contract as a collateral, this money can be lost in case of provable bad node actions.
No bridges, direct chain-to-chain transfers
The best solution, of course, is direct transfers between chains, this provides same security level as each chain on its own. Inter-blockchain communication protocols are already exists and should be supported by networks.
UPD
Update from Axie:
1) Add more organizations to the validator node pool.
2) Evolve the current source code to improve security and decentralization functionality. For example, we’d like to add the ability to assign withdrawal limits and enable more governance functions in the bridge.
UPD2
According to Ronin Security Breach Postmortem one employee was compromised, the attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes. WTF?
Each validator node must be managed and controlled independently.
Elon Musk on Twitter: “Has anyone seen web3? I can’t find it …
UPD3
How a fake job offer took down the world’s most popular crypto game…
