Last November, DEX aggregator KyberSwap was hacked to the tune of $47 million, tanking its protocol and losing the funds of its liquidity providers. In a strange turn of events, the mysterious hacker made an unprecedented request to release the stolen funds only if the entire executive team quit and made him CEO. Unsurprisingly, this demand was rejected, and the hacker began bridging the stolen funds to Ethereum using the Synapse protocol.

KyberSwap barely survived the incident and was forced to slash half its workforce in the process, as its total value locked dropped by 68 percent. As with all defi hacks, this one is unfortunate, but there is a silver lining. 

Beware of the bridge

Compared to the early days of the crypto winter, the value lost in defi hacks dropped by 64 percent in 2023, with the median loss per hack declining by 7.5 percent, according to Chainalysis data. Of course, this is a positive development and a testament to the overall advancement of the defi space and its progress in security. Bridges—blockchain protocols fostering cross-chain interoperability—have contributed to defi’s expanded capabilities by unlocking isolated “islands” of liquidity, enabling assets to flow more freely.

Bridges also stimulate innovation by enabling developers to explore new ways to utilize cross-chain capabilities. We can see this through the creation of new financial products, improved scalability, enhanced privacy features, easier collaborative measures, and flexible risk management. 

Despite the decline in security breaches and the surge in bridge-based defi innovation, blockchain interoperability is still quite limited. Rather than fostering universal interoperability, each cross-chain protocol or bridge represents a link between two blockchain networks, meaning true interoperability would require a complex web of numerous protocols linking every blockchain to one another. 

This provides its own set of security challenges. Despite the decline in hacks, the defi space is still overrun by hackers probing for potential flaws in a protocol or a smart contract vulnerability to exploit. Since most bridges depend on smart contracts, you can expect hackers to continue testing them—be it a centralized exchange, layer-2 chain, or a set of oracles hosted by a third-party server. 

Inherent security challenges, especially on unregulated bridges, are nearly impossible to fully eliminate because most bridges interact with external systems, making them susceptible to hacking or manipulation. Users transferring assets between disparate blockchain networks via a trusted or trustless bridge have to weigh serious security concerns. 

Generally speaking, trusted bridges like the Binance Bridge offer simplicity and compliance at the expense of centralization through a third-party entity. Trustless bridges, on the other hand, prioritize decentralization, security, and permissionless access—but their reliance on smart contracts provides hackers with a clear attack vector. 

However, both types of bridges can and have been exploited. Furthermore, the general lack of KYC and AML protocols among most bridges makes them a hacker’s best friend when needing to wash stolen funds. Since bridges are the closest and most accessible mechanism to removing the barriers between isolated blockchains, defi developers and users must proceed with caution when using any cross-chain protocol. 

Why compliance matters

The choice between trustless and trusted bridges comes down to the specific use case, requirements, and trade-offs that developers or users prioritize or are willing to accept. An average web3 user looking to transfer funds from one wallet to another may opt for a trusted bridge due to its simplicity, speed, and lower gas fees. However, a dApp developer might prefer a trustless bridge to maintain complete control over their assets within a decentralized environment. 

The security factor is often taken for granted when trying to bridge assets. While both trustless and trusted bridges can adhere to varying degrees of compliance and risk mitigation—or discard it altogether—using a bridge that features a robust compliance layer certainly has its merits. 

Let’s return to the KyberSwap hack to better understand the possible implications of these security risks.

By analyzing the on-chain data, it’s apparent that had the Synapse protocol deployed a compliance layer, the hacker never would’ve been able to funnel the assets into an Ethereum-based wallet and make a getaway. A risk-mitigation platform with an end-to-end compliance module can be applied to any dApp or protocol and reject potentially problematic transactions such as moving millions in stolen funds. 

Risk mitigation isn’t a “bonus feature” that projects can sideline anymore. As regulatory bodies mull more comprehensive laws, compliance will become ever more important, especially as traditional financial institutions continue flirting with providing defi services to their clientele. 

It’s important to note that adding a compliance layer to any decentralized protocol isn’t about censorship or opposing crypto’s core ethos of financial freedom and removal of intermediaries. Rather, it’s solely about protecting user assets from being hijacked by criminals, terror supporters, and other bad actors.

As the crypto world strives for broader adoption, the need for compliance mechanisms is more vital than ever. With attack vectors in defi constantly evolving, hacks and thieves will continue to threaten the integrity of the entire industry and undermine the goal of mainstream adoption. 

While bridges don’t enable universal interoperability across the vast blockchain ecosystem, proper compliance can reduce risks for users and developers, and safeguard defi’s progress. Therefore, developers would be wise to factor in a bridge’s compliance standards when engaging in cross-chain transactions.