Connect with us


Explained: Why Hackers Keep Exploiting Blockchain Bridges

On January 7, 2022, Ethereum co-founder Vitalik Buterin warned against the security of cross-blockchain bridges. He argued with foresight that bridging assets between blockchains would never enjoy the same safeguards as staying in a single blockchain. He was right.

Safe convertibility of assets between blockchains is not guaranteed. To be precise, no one can actually “send” or “link” an asset to another blockchain. Instead, assets are deposited, locked, or burned on a single chain; then credited, unlocked or hit on the second channel.

Worse still, blockchains cannot access off-chain information. No blockchain can natively verify that a multi-blockchain asset is “bridged”. At best, third-party oracles attest to the veracity of off-chain information and interpret that data for on-chain use. However, this introduces the first layer of trust into the bridging process: trust in data oracles. The next layer of trust is that of custodians.

Typically, bridging occurs by depositing an asset with a custodian and receiving a “packaged” version of that asset from the custodian on the second blockchain. The user must trust the custodian to hold both the original asset and release the wrapped asset.

Sometimes this custodian can take the form of a DAO or a smart contract. Either way – whether it’s a DAO or a corporate entity like BitGo (the custodian of the world’s largest wrapped asset, wrapped bitcoin) – bridging introduces multiple layers of trust.

Continuing, the next layer of trust is price convertibility and parity. Simply put, it is not enough to have received a bridging asset. A user must further continue to trust that they will be able to reinstate this asset in the future on a 1 to 1 basis. One original item must equal one wrapped item. This is the price parity risk.

At a minimum, the bridged asset must maintain parity with the original asset. So, in this way, the user trusts the bridging process not only at the time of the exchange, but also for as long as he uses a wrapped asset in the future.

In summary, all of an asset’s security risks multiply exponentially for their bridged (encapsulated) counterparts.

Worried that Tether Limited won’t exchange USDT for $1? Link that same USDT to a blockchain not supported by Tether Limited and your risks have multiplied by custodian(s), smart contracts, liquidity, price parity, and most importantly, whether the bridge will burn not before you have to get back to safety.

In a way, cross-blockchain bridges are like wormholes: they transport matter through space, but they form and annihilate spontaneously.

In fact, Wormhole is the name of the best capitalized bridge in the world, connecting the Ethereum and Solana blockchains. It was hacked, like many bridges. Below is a list.

Multi-Channel Exploit on January 19, 2022

Attackers stole $3 million in a Multichain cross-blockchain bridge exploit earlier this year. Multichain issued an initial message that caused users to question if their funds were safe. It warned users to withdraw WETH, MATIC, AVAX, PERI, OMT and WBNB tokens from affected smart contracts on its platform.

Multichannel later said an attacker returned 259 stolen ETH in the attack. Tether froze USDT on addresses linked to the exploit.

January 27, 2022 Qubit exploit

Qubit Finance lost 206,809 BNB ($80 million) in a QBridge exploit on January 27, 2022. The project built its protocol on Binance Chain.

The exploit fraudulently minted 77,162 qXETH, which attackers could exchange for BNB tokens. Qubit offered to negotiate with the attacker to recover the funds.

Qubit tries to make contact with a hacker.

Wormhole exploit February 2, 2022

The attackers fraudulently minted 120,000 wrapped ETH on the Solana blockchain using the Wormhole Bridge on February 2, 2022. They created a spoofed signing account to validate their transactions.

A Paradigm researcher reverse-engineered the attack and determined that Wormhole failed to implement a more robust validation protocol for its Guardian signatures.

Researcher explains Wormhole’s hundreds of millions of dollars lost.’s Meter Passport exploit on February 5, 2022’s Meter Passport bridge lost $4.4 million in an exploit on February 5, 2022. The exploit targeted Moonriver smart contract platform on Polkadot’s Kusama network. The attackers stole BNB and wrapped ETH, then dumped the BNB on decentralized exchange UniSwap.

This exploit caused a crash in BNB prices that allowed others to scoop up cheap BNB and use it as collateral for loans on platforms like Hundred Crisis. The loans caused supply issues for affected loan applications.

Wrapped Ethereum is not the same as Ethereum.

Operation of the Ronin Bridge on March 29, 2022

Attackers stole 173,600 ETH and 25.5 million USDC (approximately $600 million) from the Ronin Bridge on March 29, 2022. The exploit involved accessing the private keys of validator nodes. The Ronin Bridge developers have halted deposits and withdrawals until investigators have a chance to determine what happened.

The developers built the Ronin sidechain of the Axie Infinity Ethereum game to save on fees. Unfortunately, they compromised security.

Axie Infinity’s so-called “play to win” game has lost $600 million of its users’ money.

April 7, 2022 WonderHero exploit

WonderHero discovered an exploit of its bridge on April 7, 2022, when the value of its native WND token unexpectedly dropped by 50%. He lost $300,000 in WND tokens in the attack.

WonderHero has suspended its website, game, bridge, deposits and withdrawals while it investigates. It restarted the game, the market and the yield system. WonderHero has since published an analysis confirming that its Binance bridge has been compromised.

Harmony One’s Horizon Bridge exploit on June 23, 2022

Harmony One’s Horizon Bridge lost $100 million in an exploit on June 23, 2022. His team said he was working with law enforcement authorities and forensic experts to investigate the exploit. The address used to receive the stolen funds was given a “Horizon Bridge Exploiter” label on Etherscan. The Horizon Bridge Exploiter currently holds just over $93,000 in tokens.

Hackers steal $100 million from Harmony ONE’s cross-blockchain bridge.

Read more: Inter-blockchain bridges continue to break as crypto startup Nomad is hacked for $190 million

July 10, 2022 ChainSwap exploit

ChainSwap lost 20 million WILD tokens in an exploit on July 10, 2022. Wilder World uses WILD as a native token. A pseudonymous Twitter user and “citizen” of Wilder World noticed the ChainSwap exploit on July 10, 2022. The exploit also affected Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank, and Unifarm tokens.

ChainSwap froze its Ethereum-Binance Smart Chain bridge during its investigation.

Prior to this incident, ChainSwap suffered another exploit in which it lost $800,000 in tokens on July 2. He managed to recoup some of those losses in this attack.

Nomadic exploit of August 2, 2022

Attackers stole $190 million in tokens by exploiting a vulnerability in Nomad’s smart contract on August 2, 2022. Once the method used to exploit the smart contract became public knowledge, a mass attack drained a massive amount of ‘silver.

CISO by Andressen Horowitz suggested that some looters might have been “white hat” exploiters aiming to keep money out of the hands of nefarious actors. Nomadic said he worked with law enforcement and private security companies to investigate and thanked the white hat actors for taking the initiative to protect the funds.

For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.

#Explained #Hackers #Exploiting #Blockchain #Bridges

Click to comment

Leave a Reply

Your email address will not be published.