Sok: Security and privacy of blockchain interoperability
发表信息
作者
- André Augusto
- Rafael Belchior
- Miguel Correia
- André Vasconcelos
- Luyao Zhang
- Thomas Hardjono
笔记
Recent years have witnessed significant advancements in cross-chain technology. However, the field faces two pressing challenges. On the one hand, hacks on cross-chain bridges have led to monetary losses of around 3.1 billion USD, highlighting flaws in security models governing interoperability mechanisms and the ineffectiveness of incident response frameworks. On the other hand, users and bridge operators experience restricted privacy, which broadens the potential attack surface.In this paper, we present the most comprehensive study to date on the security and privacy of blockchain interoperability. We employ a systematic literature review, yielding a corpus of 212 relevant documents, including 58 academic papers and 154 gray literature documents, out of a pool of 531 results. We systematically categorize 57 interoperability solutions based on a novel security and privacy taxonomy. Our dataset, comprising academic research, disclosures from bug bounty programs, and audit reports, exposes 45 cross-chain vulnerabilities, 4 privacy leaks, and 92 mitigation strategies. Leveraging this data, we analyze 18 notable bridge hacks accounting for over 2.9 billion USD in losses, mapping them to the identified vulnerabilities.Our findings reveal that a substantial portion (65.8%) of stolen funds originates from projects secured by intermediary permissioned networks with unsecured cryptographic key operations. Privacy-wise, we demonstrate that achieving unlinkability in cross-chain transactions is contingent on the underlying ledgers providing some form of confidentiality. Our study offers 17 critical insights into the security and privacy of cross-chain systems. We pinpoint promising future research directions, underscoring the urgency of enhancing security and privacy efforts in cross-chain technology. The identified improvements have the potential to mitigate the financial risks associated with bridge hacks, fostering user trust in the blockchain ecosystem and, consequently, wider adoption.
近年来,跨链技术取得了显著进展,但该领域仍面临两大紧迫挑战。一方面,跨链桥遭黑客攻击已造成约31亿美元经济损失,暴露出互操作性机制安全模型的缺陷及事件响应框架的失效;另一方面,用户与桥接运营商普遍存在隐私受限问题,这进一步扩大了潜在攻击面。本文开展了迄今为止最全面的区块链互操作性安全与隐私研究。通过系统性文献综述,我们从531项检索结果中筛选出212份相关文献(含58篇学术论文与154份灰色文献),并基于创新的安全隐私分类法对57种互操作性解决方案进行系统归类。我们的数据集整合了学术研究、漏洞赏金计划披露与审计报告,揭示出45种跨链漏洞、4类隐私泄露及92项缓解策略。基于此,我们分析了造成逾29亿美元损失的18起重大桥接攻击事件,并将其映射至已识别的漏洞类型。 研究发现,被盗资金的主要部分(65.8%)源于采用中介许可网络但未实施安全密钥操作的项目。隐私方面,我们证实跨链交易的不可关联性取决于底层账本是否具备某种形式的保密机制。本研究提出17项关于跨链系统安全与隐私的核心洞见,指明了未来重点研究方向,强调提升跨链技术安全隐私防护的紧迫性。这些改进措施有望降低桥接攻击导致的金融风险,增强用户对区块链生态的信任,从而推动更广泛的技术采用。