Why hackers continue to exploit cross-blockchain bridges
On January 7, 2022, Ethereum co-founder Vitalik Buterin warned about the security of cross-blockchain bridges. He argued beforehand that bridging assets across blockchains would never have the same guarantees as staying within one blockchain. He was right.
Secure convertibility of assets between blockchains is not guaranteed. To be precise, no one can actually “send” or “bridge” an asset to another blockchain. Instead, assets are deposited, locked, or burned on one chain; then credited, unlocked or minted on the other chain.
Even worse, blockchains cannot access information outside the chain. No blockchain can inherently verify that any multi-blockchain asset is “bridged”. At best, third-party oracles verify the truth of off-chain information and interpret that data for on-chain use. However, this introduces the first layer of trust to the bridging process: trust in data oracles. The next layer of trust is guardians.
Typically, bridging occurs by depositing an asset with a custodian and receiving a “wrapped” version of that asset from the custodian on the other blockchain. The user must trust that the custodian will both keep the original asset and release the wrapped asset.
Sometimes this custodian can take the form of a DAO or smart contract. In any case – whether it’s a DAO or a corporate entity like BitGo (the custodian of the world’s largest packaged asset, packaged bitcoin) – bridging introduces multiple layers of trust.
Still, the next layer of trust is convertibility and price parity. Simply put, it is not enough to have received a bridge fortune. Additionally, a user must continue to trust that they will be able to bridge this resource back in the future on a 1-to-1 basis. One original asset must equal one packaged asset. This is price parity risk.
At a minimum, the bridged asset must maintain parity with the original asset. So in this way, the user trusts the bridge process not only at the moment of exchange, but also as long as they use a wrapped asset in the future.
In summary, all the security risks of an asset multiply exponentially for their bridged (wrapped) counterparts.
Worried about Tether Limited not redeeming a USDT for $1? Bridge that same USDT to a blockchain not backed by Tether Limited and your risks have multiplied with custodian(s), smart contracts, liquidity, price parity, and most of all, if the bridge won’t burn down before you need to go back to Safety.
In a way, cross-blockchain bridges are like wormholes: they transport material across space, but they form and disappear spontaneously.
In fact, Wormhole is the name of the world’s most well-capitalized bridge, which connects the Ethereum and Solana blockchains. It got hacked – so have many bridges. Below is a list.
Multichain Exploitation January 19, 2022
Attackers stole $3 million in an exploit of the Multichain cross-blockchain bridge at the beginning of the year. Multichain issued initial notices that prompted users to questions if their money was safe. It warned users to withdraw WETH, MATIC, AVAX, PERI, OMT and WBNB tokens from affected smart contracts on the platform.
Multi chain later so an attacker returned 259 ETH stolen in the attack. Tether froze USDT on addresses associated with the exploit.
Qubit exploitation January 27, 2022
Qubit Finance lost 206,809 BNB ($80 million) in an exploit of QBridge on January 27, 2022. The project built its protocol on the Binance Chain.
The exploit falsely created 77,162 qXETH, which the attackers could redeem for BNB tokens. Qubit offered to negotiate with the attacker to get the funds back.
Wormhole exploit February 2, 2022
Attackers falsely minted 120,000 wrapped ETH on Solana’s blockchain using the Wormhole bridge on February 2, 2022. They created a fake signature account to validate their transactions.
A Paradigm researcher reversed the attack and determined that Wormhole had failed to implement a more robust validation protocol for its guardian signatures.
Meter.ios Meter Passport Exploit February 5, 2022
Meter.io’s Meter Passport bridge lost $4.4 million in an exploit on February 5, 2022. The exploit targeted the Moonriver smart contract platform on Polkadot’s Kusama network. The attackers stole BNB and wrapped ETH and then dumped the BNB on the decentralized exchange UniSwap.
This exploit caused a BNB price drop that allowed other individuals to obtain cheap BNB and use it as collateral for loans on platforms like Hundred Crisis. The loans caused supply problems for the affected loan apps.
Ronin Bridge exploit March 29, 2022
Attackers stole 173,600 ETH and 25.5 million USDC (about $600 million) from Ronin Bridge on March 29, 2022. The exploit involved gaining access to validator nodes’ private keys. Ronin Bridge’s developers halted deposits and withdrawals until investigators had a chance to find out what happened.
Developers built the Axie Infinity game on Ethereum’s Ronin sidechain to save on fees. Unfortunately, they compromised on safety.
WonderHero exploit on April 7, 2022
WonderHero discovered an exploit of its bridge on April 7, 2022, when the value of the original WND token unexpectedly dropped by 50%. It lost $300,000 in WND tokens in the attack.
WonderHero paused the website, game, bridge, deposits and withdrawals while they investigated. It rebooted the game, the marketplace, and the yield system. Since then, WonderHero posted an analysis that confirmed that the Binance bridge had been compromised.
Harmony One’s Horizon Bridge Exploitation June 23, 2022
Harmony One’s Horizon Bridge lost $100 million in an exploit on June 23, 2022. Their team so it worked with law enforcement and forensic experts to investigate the exploit. The address used to receive the stolen funds received a “Horizon Bridge Exploiter” label on Etherscan. Horizon Bridge Exploiter currently has just over $93,000 in tokens.
Read more: Cross-blockchain bridges continue to break as crypto startup Nomad hacked for $190 million
ChainSwap Exploitation July 10, 2022
ChainSwap lost 20 million WILD tokens in an exploit on July 10, 2022. Wilder World uses WILD as its native token. A pseudonymous Twitter user and Wilder World “citizen” noticed The ChainSwap exploit on July 10, 2022. The exploit also affected Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank and Unifarm tokens.
ChainSwap Freezes Ethereum-Binance Smart Chain Bridge While Investigating.
Prior to this incident, ChainSwap suffered another exploit where it lost $800,000 in tokens on July 2nd. It managed to recoup some of those losses in that attack.
Nomad exploit August 2, 2022
Attackers stole $190 million in tokens by exploiting a vulnerability in Nomad’s smart contract on August 2, 2022. When the method used to exploit the smart contract became public, a mass attack drained a significant amount of the money.
Andressen Horowitz’s CISO proposed that some looters may have been “white hat” exploiters aiming to keep money out of the hands of malicious actors. Nomad so it worked with law enforcement and private security firms to investigate and thanked the white hat actors to take the initiative to protect funds.
For more informed news, follow us further Twitter and Google News or listen to our investigative podcast Newly created: Blockchain City.