One must-have characteristic of The Downtrend is the constantly hacked incident. Years ago, the main course was the centralized exchange, then this year, the specialties are Cross-chain Bridge Hacks.
According to Chainalysis, a blockchain data platform, $2 billion in cryptocurrency has been stolen across 13 cross-chain bridge hacks, most of which were stolen this year. Attacks on bridges account for 69% of total funds stolen in 2022, not including the latest BNB incident.
For today's topic, we will break down these exploits and attempt to explain why Bridges is the favorite prey for hackers.
TL;DR
- $2 billion in cryptocurrency has been stolen across 13 cross-chain bridge hacks, most of which were stolen this year. Attacks on bridges account for 69% of total funds stolen in 2022, not including the latest BNB incident.
- A cross-chain bridge is a protocol that lets a user port digital assets from one blockchain to another. An individual deposits their tokens on one chain and receives a debt token on the other chain. Once an individual burns their debt token on one chain, the deposit is released on the other chain.
- While providing efficient and flexible cross-chain asset transfer, the complex workflow involving both on-chain smart contracts and off-chain programs causes emerging security issues.
- Bridges are an attractive target because they often feature a central storage point of funds that back the “bridged” assets on the receiving blockchain.
- While not foolproof, a valuable first step towards addressing issues could be for extremely rigorous code audits to become the gold standard of DeFi, both for those building protocols and for the investors evaluating them.
I. List of Cross-chain Bridge Hacks
Poly Network, $611M, Aug 2021
Poly Network is a cross-chain protocol network that allows users to trade one digital currency for another across various blockchains.
On August 10, 2021, the Poly Network faced a major attack. Hackers were able to transfer $611 million to three addresses after exploiting a vulnerability in the network's code. The next day, the hackers announced they planned to return the tokens and that they had been taken in order to reveal the vulnerabilities of Poly Network. All assets were returned to the Poly Network over 15 days following the attack.
Poly Network offered the hackers a $500,000 bug bounty and the position of chief security advisor.
$612M Poly Network Hack Ends With All Stolen Funds Returned 😱
— CoinMarketCap (@CoinMarketCap) August 24, 2021
The hacker known as ‘Mr. White Hat’ returned the remaining $141 million, calling the theft ‘my efforts to contribute to the security of the poly project.
More details on #CoinMarketCap ⬇️ https://t.co/lRzA7zdUS3
Wormhole, $326M Feb 2022
Wormhole is a DeFi service that acts as a bridge between blockchains, like the Solana and Ethereum blockchains. On Wormhole, users often send Ether to the bridge protocol to be locked in a collateral contract on the Ethereum blockchain. Those users are then issued an equivalent amount of wETH on the Solana blockchain.
In February 2022, hackers exploited a Wormhole security vulnerability after an update to the software. The hacker found a code exploit and managed to mint 120,000 wETH (worth $326 million) without first depositing any Ether funds as collateral. The hacker then exchanged the wETH for $250 million in Ethereum and sent it to their account.
Wormhole offered the hacker $10 million to return the funds and details about the bug they exploited. The hacker did not respond and has not been identified.
The wormhole network was exploited for 120k wETH.
— Wormhole🌪 (@wormholecrypto) February 2, 2022
ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.
We are working to get the network back up quickly. Thanks for your patience.
Ronin, $624M Mar 2022
On March 29, 2022, over $624 million was taken from the Ronin Network. It was an exploit hack by the North Korean hacking group called Lazarus Group. Ronin is a gaming-focused blockchain network best known for the Axie Infinity crypto game published by Sky Mavis. The hackers attacked Sky Mavis's and Axie DAO Ronin validator nodes—the system used to verify crypto transactions.
In a nutshell, the group hacked users' private keys and made false withdrawals. The hack took advantage of a backdoor vulnerability in the decentralized validation key scheme, using a gas-free RPC node to fake the signatures needed to validate false transactions. In just two transactions, 173,600 ETH and $25.5 million were stolen.
Axie Infinity reimbursed affected players, but funds were not immediately recovered from the hacker.
Harmony Bridge, $100M, Jun 2022
The Harmony Horizon Bridge was hacked on June 23, 2022 for $100 million. People can use Harmony's Horizon bridge to move digital and fiat currencies between blockchains. The bridge only needs two validating accounts to approve transactions. The hackers compromised private keys and were able to approve the transfer to their accounts.
Stolen tokens included Ethereum, Binance Coin, USD Coin, Dai, Frax Share, Wrapped Ether, Aave, SushiSwap, Wrapped BTC, and Tether — but have now all been swapped for Ether.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
More 🧵
Elliptic, a blockchain analytics firm, identified the Lazarus Group (a North Korean hacking group) as likely responsible for the bridge hack.
Harmony paused the Horizon Bridge following the attack.
Nomad Bridge, $190M, Aug 2022
Nomad is a cross-chain bridge similar to Wormhole, allowing users to exchange tokens to different blockchains. In early August 2022, a total of $190 million was stolen from Nomad in just under three hours. A recent update to Nomad's smart contracts made it easy for users to spoof transactions. However, there was no single hacker behind the exploit. Any user with mediocre coding skills could authorize withdrawals to their account. It was basically a digital mob looting as users replicated the original hack for themselves.
The mob of hackers was able to pose as Nomad to validate transactions without depositing any money to back that exchange.
Nearly $33 million in funds were returned by white hat hackers. Nomad stated that if hackers returned 90% of their stolen funds, they could keep the other 10% and would not be legally prosecuted. Users that voluntarily returned funds would be declared white hat hackers and considered "testers" of the vulnerability.
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
BSC Token Hub, $569M, Oct 2022
BSC Token Hub is the native cross-chain bridge between Binance's BNB Beacon Chain and BNB Smart Chain.
In a blog post on Oct 7, the BNB Chain team said that a total of 2 million BNB — worth approximately $568 million — were initially withdrawn by the hacker. But the attacker only managed to take about $110 million because the majority of the stolen tokens, worth about $430 million, couldn’t be transferred following the suspension of the BNB Chain.
The attacker was able to forge proof messages that were then accepted by the BSC Token Hub bridge. The bug likely was a result of the bridge not fully verifying the Merkle proof to the root hash, which allowed the attacker to generate forged proofs from a previous, legitimate one and then mint BNB directly to their wallet.
Due to irregular activity we're temporarily pausing BSC. We apologize for the inconvenience and will provide further updates here.
— BNB Chain (@BNBCHAIN) October 6, 2022
Thank you for your patience and understanding.
The D in BNB stands for Decentralized
II. Cross-Chain Vulnerabilities
The rise of Bitcoin has spawned thousands of cryptocurrencies and other crypto-assets with different and isolated blockchains. This diverse and fragmented nature of cryptocurrencies introduces a significant demand for asset interoperability to allow users to transfer assets between different blockchains.
Individuals can’t simply move their assets from one blockchain to another; instead, they have to use a cross-chain bridge to achieve this. Cross-chain bridges are designed to solve the challenge of interoperability between blockchains.
A cross-chain bridge is a protocol that lets a user port digital assets from one blockchain to another. For example, Wormhole is a cross-chain bridging protocol that allows users to move cryptocurrencies and NFTs between various smart contract blockchains such as Solana and Ethereum.
While bridge designs vary, users typically interact with cross-chain bridges by sending funds in one asset to the bridge protocol, where those funds are then locked into the contract. The user is then issued equivalent funds of a parallel asset on the chain the protocol bridges to.
In simple words, an individual deposits their tokens on one chain and receives a debt token on the other chain. Once an individual burns their debt token on one chain, the deposit is released on the other chain.
In the case of Wormhole, users typically send Ether (ETH) to the protocol, where it is held as collateral, and are issued Wormhole-wrapped ETH on Solana, backed by that collateral locked in the Wormhole contract on Ethereum.
Cross-Chain bridges have become the most popular solution to support asset interoperability between blockchains. However, while providing efficient and flexible cross-chain asset transfer, the complex workflow involving both on-chain smart contracts and off-chain programs causes emerging security issues.
Managing assets on different blockchains with complex workflow provides significant advantages to attackers. Cross-Chain bridges involve both on-chain smart contracts and off-chain programs integrating with heterogeneous blockchains, introducing new system architecture and security requirements.
Bridges are an attractive target because they often feature a central storage point of funds that back the “bridged” assets on the receiving blockchain. Users lock various tokens on different blockchains to the bridge, and the bridge takes responsibility for validating these locked tokens, performing cross-chain trading logic like deposit or swap, and unlocking target tokens to users.
The bridge consists of two parts, the on-chain router contracts, and the off-chain relayer. The router contracts interact with various token contracts and provide on-chain functions, including locking and unlocking users’ tokens. They also record token transfer information as specific on-chain events to communicate with the off-chain relayer. The off-chain relayer keeps fetching on-chain events from the source chain and coordinates router contracts on the destination chain to finish a cross-chain transfer.
Although the lock-then-unlock idea is fairly simple, cross-chain bridges face three practical challenges which have caused severe attacks in reality. First, managing various assets with inconsistent contract interfaces on heterogeneous blockchains introduces bug-prone on-chain logic. Second, the big on-chain-off-chain gap causes complicated off-chain code and leads to potential inconsistency between on-chain router contracts and off-chain relayer. Third, cross-chain bridges’ complex and multi-step workflow introduces large attack surfaces, including both traditional and blockchain-specific attacks.
Bridges are an appealing target because they often store so much money on a central storage point of funds either locked up in a smart contract or with a centralized custodian. The idea of a single point of failure was never a good idea. The irony with cross-chain bridges is their majority within the DeFi ecosystem. By centralizing smart contracts with funds and transactions written on them, they provide a focal point for criminals to exploit.
III. Conclusion
Vitalik Buterin, the co-founder of Ethereum, believes cross-chain bridges are inherently prone to security breaches.
"The fundamental security limits of bridges are actually a key reason why…I am pessimistic about cross-chain applications," Buterin wrote in a lengthy January Reddit post. The influential founder went on to express his belief that assets should be held in the same blockchain ecosystem, rather than shuffled between chains.
My argument for why the future will be *multi-chain*, but it will not be *cross-chain*: there are fundamental limits to the security of bridges that hop across multiple "zones of sovereignty". From https://t.co/3g1GUvuA3A: pic.twitter.com/tEYz8vb59b
— vitalik.eth (@VitalikButerin) January 7, 2022
"the future will be *multi-chain*, but it will not be *cross-chain*" - said Vitalik Buterin.
Nonetheless, the current interoperable scenario relies on cross-chain protocols rather than a multichain approach. The need for interoperability in the space is more than obvious.
To prevent and reduce the impact caused by malicious attackers targeting blockchain bridges, more and more robust security measures in this type of platform are needed.
Unfortunately, the challenge will not be overcome easily. The nature flaws of Cross-chain Bridges are becoming more and more noticeable and hackers are getting more sophisticated too.
Cross-chain platforms must learn from previous events and strengthen their security as much as possible. While not foolproof, a valuable first step towards addressing issues could be for extremely rigorous code audits to become the gold standard of DeFi, both for those building protocols and for the investors evaluating them. Over time, the strongest, safest smart contracts can serve as templates for developers to build from.
We hope for the future of multichain, with the help of cross-chain.
