Decentralized Finance (DeFi) in the early days operated within siloed blockchain ecosystems; it was impossible to transfer digital assets from one DApp ecosystem to another. However, with the advent of cross-chain infrastructures, DeFi natives are no longer limited to a single DApp environment. One can bridge (transfer) their crypto assets from Ethereum to Solana and vice versa. But at what cost?
According to a report by Chainalysis, cross-chain bridges were the most prone to security vulnerabilities at the height of the 2022 bull market. A closer look at the statistics further reveals that this type of DeFi infrastructure is no longer as popular as it was; for context, there’s over $88 billion locked in the larger DeFi realm while the total cross-chain TVL is barely above the $1 billion mark.
Cross-chain TVL over the years: DeFi Llama
Cross-Chain Bridges, Not Yet There!
As you can see from the TVL trend above, it is very obvious that cross-chain bridges may not have lived up to the hype.
The question, however, is why and what will save the Web3 ecosystem from the disintegration that has long been a hurdle to adoption and innovation?
To understand the weak link in cross-chain infrastructures, it is important to define the two main types that exist: trusted and trustless. The former relies on centralized operators or entities to support the process of transferring digital assets from one chain to the other. On the other hand, trustless bridges are powered by automated smart contracts with pre-coded logic; they also happen to be the most common types of bridges in DeFi.
But despite their popularity, the weakness of trustless bridges lies in their strength. Automated smart contracts have, over time, proven not to be as secure as they were touted during the DeFi summer of 2021. There have been several instances where trustless cross-chain bridges have fallen victim to both simple and complex attacks, raising questions about their suitability in strengthening the integration of the Web3 ecosystem.
Bridge Contract Exploitation
In January 2022, malicious attackers launched a false deposit exploit on the Qubit bridge contract. These actors realized that they could surpass the verification process of depositing tokens by duping the contract address, which allowed them to mint around $185 million worth of qXETH tokens on the BSC chain (destination chain) without depositing a single ETH.
The incident is almost similar to the Wormhole bridge exploit where again, the attackers managed to get past the verification process by exploiting the contract. In this case, the losses totaled a whooping $321 million, marking the second largest DeFi hack to date.Â
Compromised Private Keys
Although decentralized, cross-chain bridges still rely on centralized validators to some extent. This means if the private keys which give access to the validator nodes are compromised, then hackers can be able to authorize transactions if they take control of the minimum required nodes to do so.
Axie infinity’s Ronin bridge hack in 2022 is a classic example of a scenario where malicious players were able to access the private keys, eventually compromising five validator nodes. Over $620 million worth of user funds were compromised during this unfortunate event.Â
Zero-knowledge (ZK) Proofs: The Future of DeFi Interoperability
The examples highlighted in the previous section are just the tip of the iceberg; multiple cross-chain bridges have fallen victim to infamous hackers such as North Korea’s Lazarus Group. The common factor? Code vulnerabilities, potential inside jobs (rug pulls), or compromised private keys.
This doesn’t have to be the fate of Web3 interoperability. Zero-knowledge (ZKPs) rollups are introducing a new angle to making the DeFi ecosystem unified while maintaining the most fundamental aspects: privacy and security.
For context, ZKPs were designed to alleviate Ethereum’s scaling issue by introducing Layer 2 chains that can process multiple transactions off-chain before submitting them as a batch to the main network. But more importantly, ZKPs leverage what are known as validity proofs; in this approach to verification, the verifiers can prove that a statement (submitted transaction) is valid without necessarily revealing the contents, hence ensuring privacy and security.
While ZKP Layer 2’s are still in the early adoption phases, it is worth highlighting that some projects, such as the Prom zkEVM, are solving DeFi’s interoperability problem at the same time. This Layer 2 chain is compatible with both EVM and non-EVM chains, which means that users can transact across multiple DApp environments. Prom submits ZKP proofs to multiple chains, thereby strengthening the integrity and resilience of the DeFi market.
It is also intriguing to observe that, unlike cross-chain bridges where interest is waning, ZK rollups have been on an uptrend since the beginning of 2023. The latest stats by Layer 2 data analysis platform L2Beat reveal that the total value locked (TVL) across ZK rollups has grown almost tenfold within a span of one and a half years; from a mere $586 million to over $4.5 billion as of writing.
Conclusion
The advancements in technology over the past two decades have transformed global financial markets, with apps like Robinhood making it seamless to access traditional equity markets that were previously limited to sophisticated traders and investors. If DeFi is to play in the same league or even disrupt the status quo to become the future of finance, interoperability is a much-needed feature. However, it would be counterintuitive to pioneer solutions that do not guarantee the privacy and security of DeFi users, which is why embracing novel cryptography such as zero-knowledge proofs could unlock a multitude of new users.