On January 7, 2022, Ethereum co-founder Vitalik Buterin warned against the security of cross-blockchain bridges. He argued with foresight that bridging assets between blockchains would never enjoy the same safeguards as staying in a single blockchain. He was right.
Safe convertibility of assets between blockchains is not guaranteed. To be precise, no one can actually “send” or “link” an asset to another blockchain. Instead, assets are deposited, locked, or burned on a single chain; then credited, unlocked or hit on the second channel.
Worse still, blockchains cannot access off-chain information. No blockchain can natively verify that a multi-blockchain asset is “bridged”. At best, third-party oracles attest to the veracity of off-chain information and interpret that data for on-chain use. However, this introduces the first layer of trust into the bridging process: trust in data oracles. The next layer of trust is that of custodians.
Typically, bridging occurs by depositing an asset with a custodian and receiving a “packaged” version of that asset from the custodian on the second blockchain. The user must trust the custodian to hold both the original asset and release the wrapped asset.
Sometimes this custodian can take the form of a DAO or a smart contract. Either way – whether it’s a DAO or a corporate entity like BitGo (the custodian of the world’s largest wrapped asset, wrapped bitcoin) – bridging introduces multiple layers of trust.
Continuing, the next layer of trust is price convertibility and parity. Simply put, it is not enough to have received a bridging asset. A user must further continue to trust that they will be able to reinstate this asset in the future on a 1 to 1 basis. One original item must equal one wrapped item. This is the price parity risk.
At a minimum, the bridged asset must maintain parity with the original asset. So, in this way, the user trusts the bridging process not only at the time of the exchange, but also for as long as he uses a wrapped asset in the future.
In summary, all of an asset’s security risks multiply exponentially for their bridged (encapsulated) counterparts.
Worried that Tether Limited won’t exchange USDT for $1? Link that same USDT to a blockchain not supported by Tether Limited and your risks have multiplied by custodian(s), smart contracts, liquidity, price parity, and most importantly, whether the bridge will burn not before you have to get back to safety.
In a way, cross-blockchain bridges are like wormholes: they transport matter through space, but they form and annihilate spontaneously.
In fact, Wormhole is the name of the best capitalized bridge in the world, connecting the Ethereum and Solana blockchains. It was hacked, like many bridges. Below is a list.
Multi-Channel Exploit on January 19, 2022
Attackers stole $3 million in a Multichain cross-blockchain bridge exploit earlier this year. Multichain issued an initial message that caused users to question if their funds were safe. It warned users to withdraw WETH, MATIC, AVAX, PERI, OMT and WBNB tokens from affected smart contracts on its platform.
Multichannel later said an attacker returned 259 stolen ETH in the attack. Tether froze USDT on addresses linked to the exploit.
January 27, 2022 Qubit exploit
Qubit Finance lost 206,809 BNB ($80 million) in a QBridge exploit on January 27, 2022. The project built its protocol on Binance Chain.
The exploit fraudulently minted 77,162 qXETH, which attackers could exchange for BNB tokens. Qubit offered to negotiate with the attacker to recover the funds.
Wormhole exploit February 2, 2022
The attackers fraudulently minted 120,000 wrapped ETH on the Solana blockchain using the Wormhole Bridge on February 2, 2022. They created a spoofed signing account to validate their transactions.
A Paradigm researcher reverse-engineered the attack and determined that Wormhole failed to implement a more robust validation protocol for its Guardian signatures.
Meter.io’s Meter Passport exploit on February 5, 2022
Meter.io’s Meter Passport bridge lost $4.4 million in an exploit on February 5, 2022. The exploit targeted Moonriver smart contract platform on Polkadot’s Kusama network. The attackers stole BNB and wrapped ETH, then dumped the BNB on decentralized exchange UniSwap.
This exploit caused a crash in BNB prices that allowed others to scoop up cheap BNB and use it as collateral for loans on platforms like Hundred Crisis. The loans caused supply issues for affected loan applications.
Operation of the Ronin Bridge on March 29, 2022
Attackers stole 173,600 ETH and 25.5 million USDC (approximately $600 million) from the Ronin Bridge on March 29, 2022. The exploit involved accessing the private keys of validator nodes. The Ronin Bridge developers have halted deposits and withdrawals until investigators have a chance to determine what happened.
The developers built the Ronin sidechain of the Axie Infinity Ethereum game to save on fees. Unfortunately, they compromised security.
April 7, 2022 WonderHero exploit
WonderHero discovered an exploit of its bridge on April 7, 2022, when the value of its native WND token unexpectedly dropped by 50%. He lost $300,000 in WND tokens in the attack.
WonderHero has suspended its website, game, bridge, deposits and withdrawals while it investigates. It restarted the game, the market and the yield system. WonderHero has since published an analysis confirming that its Binance bridge has been compromised.
Harmony One’s Horizon Bridge exploit on June 23, 2022
Harmony One’s Horizon Bridge lost $100 million in an exploit on June 23, 2022. His team said he was working with law enforcement authorities and forensic experts to investigate the exploit. The address used to receive the stolen funds was given a “Horizon Bridge Exploiter” label on Etherscan. The Horizon Bridge Exploiter currently holds just over $93,000 in tokens.
Read more: Inter-blockchain bridges continue to break as crypto startup Nomad is hacked for $190 million
July 10, 2022 ChainSwap exploit
ChainSwap lost 20 million WILD tokens in an exploit on July 10, 2022. Wilder World uses WILD as a native token. A pseudonymous Twitter user and “citizen” of Wilder World noticed the ChainSwap exploit on July 10, 2022. The exploit also affected Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank, and Unifarm tokens.
ChainSwap froze its Ethereum-Binance Smart Chain bridge during its investigation.
Prior to this incident, ChainSwap suffered another exploit in which it lost $800,000 in tokens on July 2. He managed to recoup some of those losses in this attack.
Nomadic exploit of August 2, 2022
Attackers stole $190 million in tokens by exploiting a vulnerability in Nomad’s smart contract on August 2, 2022. Once the method used to exploit the smart contract became public knowledge, a mass attack drained a massive amount of ‘silver.
CISO by Andressen Horowitz suggested that some looters might have been “white hat” exploiters aiming to keep money out of the hands of nefarious actors. Nomadic said he worked with law enforcement and private security companies to investigate and thanked the white hat actors for taking the initiative to protect the funds.
For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.
#Explained #Hackers #Exploiting #Blockchain #Bridges
Trading2 months ago
Pharma Co. Exec’s wife signs insider trading SEC settlement – Law360
Forex1 month ago
ASJ Forex Global Secured Second Strategic Investment from JPMorgan – Digital Journal
Blockchain2 months ago
Top 20 Cryptocurrencies to invest In 2022 before you regret
Investment2 months ago
Time Series Data Reveals Insights to Inform Investment Decisions
Forex2 months ago
3 Israelis arrested for links to Forex fraud, face extradition to Italy
Blockchain2 months ago
Catheon Gaming partners with CyberStep to launch Onigiri on the blockchain