The measures introduced by EU Regulation 2022/858 could be the answer to the risk of a cyberattack on a blockchain bridge in the DeFi environment.
Recently, a platform that aggregates financial data on blockchain and decentralized applications (DAPs) also within Decentralized Finance (DeFi), statistically demonstrated that cyberattacks (exploits) within the so-called (bridge) blockchain correspond to 50 percent of the total and represent a worrisome $2.5 billion loss in value since 2020. Therefore, investors are demanding adequate safeguards and have repeatedly attempted to take the matter to court.
In this regard, we will see what the EU Regulation 2022/858 on a pilot scheme for market infrastructures based on distributed ledger technology provides for security and liability of platform operators and how it could reduce the risk of cyberattacks.
What is the blockchain bridge and why it increases the risk of cyberattack
Blockchain bridges are a particular type of cyberattack that, especially in the context of DeFi protocols, has grown significantly in the recent period, peaking in early 2022.
The blockchain bridge is implemented to overcome an endemic problem of blockchain technology, namely the lack of interoperability between different blockchains. Typically, the process related to moving from one chain to another through the bridge consists of a mechanism of freezing or destroying tokenized assets to be transferred on the first chain and a subsequent issuance of them on the secondary chain. For this, third parties are employed who (i) guard the assets; and (ii) issue tokens whose value is tied to that of the assets (“wrapped tokens”). This process is particularly critical, both because it does not guarantee the veracity of the fact that the asset has actually been transferred from one blockchain to another, as this is information that is outside the blockchain (so-called off-chain information), and because there must be an additional degree of trust with the third party regarding the price equivalence between the asset and the wrapped tokens.
For example, suppose we want to obtain native bitcoin (BTC) by having only the Etherum token. To get exposure to BTC on the Ethereum blockchain, you can buy the wrapped token bitcoin (WBTC). However, WBTC is a native ERC-20 token on the Ethereum network, which means it is not the original asset on the Bitcoin blockchain. To own a native BTC, therefore, it is necessary to link the asset from Ethereum to Bitcoin using a bridge. In this way, the WBTC will be converted to native BTC. In contrast, owning bitcoins for use in Ethereum’s DeFi protocols would require a bridge in the other direction, (BTC to WBTC), which can then be used as an asset on Ethereum.
In short, the use of the bridge encourages the centralization of financial assets by creating a point of vulnerability for the investor that must be guarded by security measures and cyber risk management procedures; in this sense, EU Regulation 2022/858 provides several security requirements about the market infrastructures where tokenized financial instruments will be traded.
How EU Regulation 2022/858 can reduce the risk of a cyberattack against a blockchain bridge
Although technically alternatives have already been proposed (still experimental) about, for example, reversibility of transactions and freezing of funds in case of cyberattacks, from a strictly legal point of view it is possible to find protection in favor of investors in the provisions contained in EU Regulation 2022/858, which will apply as of March 23, 2023.
In particular, when considering DLT market infrastructures where tokenized financial instruments will be traded, these will operate under an authorization regime granted by national authorities following a non-binding opinion of the European Securities and Markets Authority (ESMA).
Additional requirements under the Regulation include ensuring for DLT market infrastructures tout court:
- the reliability “of all IT and cyber devices of a DLT market infrastructure,” including through an independent auditor appointed by the authority, if necessary;
- the protection from cyber attacks and/or negligence of the operator; and
- the implementation of specific procedures for managing operational risk arising from the use of DLT technology.
Finally, of particular relevance is Article 7(4) of EU Regulation 2022/858, which provides for liability on the part of the infrastructure manager in the event of loss of funds, loss of collateral, or loss of a financial instrument, unless the manager proves that these events were caused by an external event beyond its reasonable control, the consequences of which would have been unavoidable despite all reasonable efforts to avoid it. It is not yet known to us what precisely is meant by this last exemption; however, it is easy to imagine that any exploit caused by a fallaciously programmed bridge or the choice of an unreliable third party could certainly make the platform operator liable under the Regulations.
On a similar issue, you can read the article “What is the liability deriving from the blockchain? And how to handle it?“.