Count of Monte Crypto: Accounting-based Defenses for Cross-Chain Bridges
For blockchain bridge developers and users, this provides a practical, generic defense against a wide range of bridge exploits, addressing a critical security gap.
The paper identifies a lack of end-to-end value accounting as the root cause of \$2.6 billion in cross-chain bridge thefts (2021-2023). By analyzing 10 million transactions, they show a simple invariant balancing inflows and outflows detects all known attacks and can be implemented in-line for generic protection.
Between 2021 and 2023, crypto assets valued at over \$US2.6 billion were stolen via attacks on "bridges" -- decentralized services designed to allow inter-blockchain exchange. While the individual exploits in each attack vary, a single design flaw underlies them all: the lack of end-to-end value accounting in cross-chain transactions. In this paper, we empirically analyze 10 million transactions used by key bridges during this period. We show that a simple invariant that balances cross-chain inflows and outflows is compatible with legitimate use, yet precisely identifies every known attack (and several likely attacks) in this data. Further, we show that this approach is not only sufficient for post-hoc audits, but can be implemented in-line in existing bridge designs to provide generic protection against a broad array of bridge vulnerabilities.