On January 7, 2022, Ethereum co-founder Vitalik Buterin warned about the security of cross-blockchain bridges. He presciently argued that bridging assets across blockchains would never enjoy the same guarantees as staying within one blockchain. He was right.
The safe convertibility of assets between blockchains is not guaranteed. To be precise, no one can actually “send” nor “bridge” an asset to another blockchain. Instead, assets are deposited, locked, or burned on one chain; then credited, unlocked, or minted on the second chain.
Worse, blockchains cannot access off-chain information. No blockchain can natively verify that any multi-blockchain asset is “bridged.” At best, third-party oracles attest to the truthfulness of off-chain information and interpret that data for on-chain use. However, this introduces the first layer of trust to the bridging process: trust in data oracles. The next layer of trust is custodians.
Typically, bridging occurs by depositing one asset with a custodian and receiving a “wrapped” version of that asset from the custodian on the second blockchain. The user must trust the custodian to both safekeep the original asset and release the wrapped asset.
Sometimes, this custodian can take the form of a DAO or smart contract. In any case — whether a DAO or a corporate entity like BitGo (the custodian of the world’s largest wrapped asset, wrapped bitcoin) — bridging introduces several layers of trust.
Continuing, the next layer of trust is convertibility and price parity. Put simply, it’s not enough to have received a bridge asset. A user must additionally continue to trust that they will be able to bridge that asset back in the future on a 1-for-1 basis. One original asset must equal one wrapped asset. This is price parity risk.
At a minimum, the bridged asset must maintain parity with the original asset. So, in this way, the user is trusting the bridging process not just at the swapping moment, but also for as long as they are using a wrapped asset in the future.
In summary, all of the security risks of an asset multiply exponentially for their bridged (wrapped) counterparts.
Concerned about Tether Limited not redeeming one USDT for $1? Bridge that same USDT to a blockchain not supported by Tether Limited and your risks have multiplied by custodian(s), smart contracts, liquidity, price parity, and most of all, whether the bridge will not burn down before you need to traverse back to safety.
In a way, cross-blockchain bridges are like wormholes: they transport material across space, but they form and annihilate spontaneously.
In fact, Wormhole is the name of the world’s most well-capitalized bridge, linking the blockchains of Ethereum and Solana. It was hacked — as have many bridges. Below is a list.
Attackers stole $3 million in an exploit of the Multichain cross-blockchain bridge at the beginning of the year. Multichain issued initial messaging that caused users to question whether their funds were safe. It warned users to withdraw the tokens WETH, MATIC, AVAX, PERI, OMT, and WBNB from affected smart contracts on its platform.
Multichain later said one attacker returned 259 ETH stolen in the attack. Tether froze USDT on addresses linked to the exploit.
Qubit Finance lost 206,809 BNB ($80 million) in an exploit of QBridge on January 27, 2022. The project built its protocol on Binance Chain.
The exploit fraudulently minted 77,162 qXETH, which the attackers could redeem for BNB tokens. Qubit offered to negotiate with the attacker to regain the funds.
pic.twitter.com/G1WOMglVUU
Attackers fraudulently minted 120,000 wrapped ETH on Solana’s blockchain using the Wormhole bridge on February 2, 2022. They created a spoofed signature account to validate their transactions.
A Paradigm researcher reverse-engineered the attack and determined that Wormhole had failed to implement a more robust validation protocol for its guardian signatures.
tl;dr – Wormhole didn't properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.
Meter.io’s Meter Passport bridge lost $4.4 million in an exploit on February 5, 2022. The exploit targeted the Moonriver smart contract platform on Polkadot’s Kusama network. The attackers stole BNB and wrapped ETH and then dumped the BNB on the decentralized exchange UniSwap.
This exploit caused a BNB price plummet that allowed other individuals to scoop up cheap BNB and use it as collateral for loans on platforms like Hundred Crisis. The loans caused supply issues for the affected loan apps.
1. Around 6am Pacific time we identified someone was able to leverage a vulnerability of the bridge to mint a large amount of BNB and WETH tokens and depleted the bridge reserve for BNB on WETH.
Attackers stole 173,600 ETH and 25.5 million USDC (about $600 million) from the Ronin bridge on March 29, 2022. The exploit involved gaining access to validator nodes’ private keys. The Ronin bridge’s developers halted deposits and withdrawals until investigators had a chance to determine what happened.
Developers built the Axie Infinity game Ethereum’s Ronin sidechain to save on fees. Unfortunately, they compromised on security.
You cannot make this up Hacker steals $600MM in ETH from Ronin blockchain the one underlying Axie Hacker then goes short Ronin & AXS (Axie token) knowing as soon as news breaks that tokens will plummet But NO ONE notices and they get liquidated on short before news breaks
WonderHero discovered an exploit of its bridge on April 7, 2022, when the value of its native WND token unexpectedly plummeted by 50%. It lost $300,000 in WND tokens in the attack.
WonderHero paused its website, game, bridge, deposits, and withdrawals while investigating. It restarted the game, marketplace, and yield system. Since then, WonderHero posted an analysis confirming that its Binance bridge had been compromised.
Harmony One’s Horizon Bridge lost $100 million in an exploit on June 23, 2022. Its team said it was working with law enforcement authorities and forensics experts to investigate the exploit. The address used to receive the stolen funds received a “Horizon Bridge Exploiter” label on Etherscan. The Horizon Bridge Exploiter currently holds just over $93,000 in tokens.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds. More 🧵
Read more: Cross-blockchain bridges keep breaking as crypto startup Nomad hacked for $190M
ChainSwap lost 20 million WILD tokens in an exploit on July 10, 2022. Wilder World uses WILD as its native token. A pseudonymous Twitter user and Wilder World “citizen” noticed the ChainSwap exploit on July 10, 2022. The exploit also affected Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank, and Unifarm tokens.
ChainSwap froze its Ethereum-Binance Smart Chain bridge while it investigated.
Prior to this incident, ChainSwap suffered another exploit in which it lost $800,000 in tokens on July 2. It managed to recoup some of those losses in that attack.
Attackers stole $190 million in tokens by exploiting a vulnerability in Nomad’s smart contract on August 2, 2022. Once the method used to exploit the smart contract became public, a mass attack drained a considerable amount of the money.
Andressen Horowitz’s CISO suggested that some looters might have been “white hat” exploiters aiming to keep money out of the hands of nefarious actors. Nomad said it was working with law enforcement and private security firms to investigate and thanked the white hat actors for taking the initiative to protect funds.
For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.