Explained: Why hackers keep exploiting cross-blockchain bridges
On January 7, 2022, Ethereum co-founder Vitalik Buterin warned about the security of cross-blockchain bridges. He presciently argued that bridging assets across blockchains would never enjoy the same guarantees as staying within one blockchain. He was right.
The safe convertibility of assets between blockchains is not guaranteed. To be precise, no one can actually “send” nor “bridge” an asset to another blockchain. Instead, assets are deposited, locked, or burned on one chain; then credited, unlocked, or minted on the second chain.
Worse, blockchains cannot access off-chain information. No blockchain can natively verify that any multi-blockchain asset is “bridged.” At best, third-party oracles attest to the truthfulness of off-chain information and interpret that data for on-chain use. However, this introduces the first layer of trust to the bridging process: trust in data oracles. The next layer of trust is custodians.
Typically, bridging occurs by depositing one asset with a custodian and receiving a “wrapped” version of that asset from the custodian on the second blockchain. The user must trust the custodian to both safekeep the original asset and release the wrapped asset.
Sometimes, this custodian can take the form of a DAO or smart contract. In any case — whether a DAO or a corporate entity like BitGo (the custodian of the world’s largest wrapped asset, wrapped bitcoin) — bridging introduces several layers of trust.
Continuing, the next layer of trust is convertibility and price parity. Put simply, it’s not enough to have received a bridge asset. A user must additionally continue to trust that they will be able to bridge that asset back in the future on a 1-for-1 basis. One original asset must equal one wrapped asset. This is price parity risk.
At a minimum, the bridged asset must maintain parity with the original asset. So, in this way, the user is trusting the bridging process not just at the swapping moment, but also for as long as they are using a wrapped asset in the future.
In summary, all of the security risks of an asset multiply exponentially for their bridged (wrapped) counterparts.
Concerned about Tether Limited not redeeming one USDT for $1? Bridge that same USDT to a blockchain not supported by Tether Limited and your risks have multiplied by custodian(s), smart contracts, liquidity, price parity, and most of all, whether the bridge will not burn down before you need to traverse back to safety.
In a way, cross-blockchain bridges are like wormholes: they transport material across space, but they form and annihilate spontaneously.
In fact, Wormhole is the name of the world’s most well-capitalized bridge, linking the blockchains of Ethereum and Solana. It was hacked — as have many bridges. Below is a list.
Multichain exploit on January 19, 2022
Attackers stole $3 million in an exploit of the Multichain cross-blockchain bridge at the beginning of the year. Multichain issued initial messaging that caused users to question whether their funds were safe. It warned users to withdraw the tokens WETH, MATIC, AVAX, PERI, OMT, and WBNB from affected smart contracts on its platform.
Multichain later said one attacker returned 259 ETH stolen in the attack. Tether froze USDT on addresses linked to the exploit.
Qubit exploit on January 27, 2022
Qubit Finance lost 206,809 BNB ($80 million) in an exploit of QBridge on January 27, 2022. The project built its protocol on Binance Chain.
The exploit fraudulently minted 77,162 qXETH, which the attackers could redeem for BNB tokens. Qubit offered to negotiate with the attacker to regain the funds.
Wormhole exploit on February 2, 2022
Attackers fraudulently minted 120,000 wrapped ETH on Solana’s blockchain using the Wormhole bridge on February 2, 2022. They created a spoofed signature account to validate their transactions.
A Paradigm researcher reverse-engineered the attack and determined that Wormhole had failed to implement a more robust validation protocol for its guardian signatures.
Meter.io’s Meter Passport exploit on February 5, 2022
Meter.io’s Meter Passport bridge lost $4.4 million in an exploit on February 5, 2022. The exploit targeted the Moonriver smart contract platform on Polkadot’s Kusama network. The attackers stole BNB and wrapped ETH and then dumped the BNB on the decentralized exchange UniSwap.
This exploit caused a BNB price plummet that allowed other individuals to scoop up cheap BNB and use it as collateral for loans on platforms like Hundred Crisis. The loans caused supply issues for the affected loan apps.
Ronin Bridge exploit on March 29, 2022
Attackers stole 173,600 ETH and 25.5 million USDC (about $600 million) from the Ronin bridge on March 29, 2022. The exploit involved gaining access to validator nodes’ private keys. The Ronin bridge’s developers halted deposits and withdrawals until investigators had a chance to determine what happened.
Developers built the Axie Infinity game Ethereum’s Ronin sidechain to save on fees. Unfortunately, they compromised on security.
WonderHero exploit on April 7, 2022
WonderHero discovered an exploit of its bridge on April 7, 2022, when the value of its native WND token unexpectedly plummeted by 50%. It lost $300,000 in WND tokens in the attack.
WonderHero paused its website, game, bridge, deposits, and withdrawals while investigating. It restarted the game, marketplace, and yield system. Since then, WonderHero posted an analysis confirming that its Binance bridge had been compromised.
Harmony One’s Horizon Bridge exploit on June 23, 2022
Harmony One’s Horizon Bridge lost $100 million in an exploit on June 23, 2022. Its team said it was working with law enforcement authorities and forensics experts to investigate the exploit. The address used to receive the stolen funds received a “Horizon Bridge Exploiter” label on Etherscan. The Horizon Bridge Exploiter currently holds just over $93,000 in tokens.
Read more: Cross-blockchain bridges keep breaking as crypto startup Nomad hacked for $190M
ChainSwap exploit on July 10, 2022
ChainSwap lost 20 million WILD tokens in an exploit on July 10, 2022. Wilder World uses WILD as its native token. A pseudonymous Twitter user and Wilder World “citizen” noticed the ChainSwap exploit on July 10, 2022. The exploit also affected Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank, and Unifarm tokens.
ChainSwap froze its Ethereum-Binance Smart Chain bridge while it investigated.
Prior to this incident, ChainSwap suffered another exploit in which it lost $800,000 in tokens on July 2. It managed to recoup some of those losses in that attack.
Nomad exploit on August 2, 2022
Attackers stole $190 million in tokens by exploiting a vulnerability in Nomad’s smart contract on August 2, 2022. Once the method used to exploit the smart contract became public, a mass attack drained a considerable amount of the money.
Andressen Horowitz’s CISO suggested that some looters might have been “white hat” exploiters aiming to keep money out of the hands of nefarious actors. Nomad said it was working with law enforcement and private security firms to investigate and thanked the white hat actors for taking the initiative to protect funds.
For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.