There are hundreds of public chains in the blockchain world, yet the lack of mainstream assets requires the use of cross-chain bridges to access assets from public chains such as ethereum. Recently, DeFi security incidents have been frequent, and cross-chain bridges are heavily funded and frequently attacked. In the following article, PANews takes stock of 10 of the bigger attacks on cross-chain bridges in the past, and all development teams need security alarms ringing. Relatively speaking, the better the background of the development team, the more capital cross-chain bridge in the event of a security incident, it is indeed easier to retrieve assets or by the project side to pay out, so users choose a strong cross-chain bridge will be more secure.

ChainSwap: $8 million in funds involved, recoinage

On July 2 and July 11, 2021, ChainSwap was hacked twice, losing about $800,000 the first time and about $8 million the second time. The second attack was more extensive, with over 20 projects using ChainSwap for cross-chaining affected.

According to ChainSwap's investigation, the incident was due to the fact that the protocol did not strictly check the validity of signatures, and the attacker was able to use his own generated signature for transactions.

Since the loss was all of the project's governance tokens, several projects, including ChainSwap itself, decided to take a snapshot and issue new tokens to compensate token holders and LPs.

Related reading: "Cross-chain bridge project Chainswap hacked again, over 20 projects stolen

Poly Network: $610 million involved, recovered

On the evening of August 10, 2021, Poly Network, a cross-chain interoperability protocol, was hacked and lost $250 million, $270 million, and $85 million in assets on Ether, Coinan Smartchain, and Polygon, respectively, for a total loss of approximately $610 million.

The attack was mainly a problem with Poly Network's contract permission management logic. The attacker constructed an operation on the source chain to modify the target chain Keeper (relay chain verifier) to his own address; the official relay submitted the transaction unsuspectingly and executed the operation to replace the Keeper; the attacker signed the operation to transfer out the assets through the replaced Keeper address; the transaction passed the verification and was executed, and the assets were transferred to the hacker's address.

The attacker was prepared in advance to withdraw the coins after the initial funding source was the privacy token XMR, which was exchanged for BNB, ETH, and MATIC in exchanges that did not require KYC. But the hacker eventually returned all the funds, and Poly Network called him a "white hat" hacker and offered to hire him as the company's chief security advisor.

Related reading: "The biggest DeFi hack of the year: Poly Network attack process explained".

Multichain : $6 million involved, paid out

On January 18, 2022, Multichain stated that a critical vulnerability affecting six tokens - WETH, PERI, OMT, WBNB, MATIC, and AVAX - was discovered, and although the vulnerability has been fixed, users need to revoke authorization as soon as possible, or assets may still be at risk. One month later, Multichain officially released the investigation report of the vulnerability, a total of 7962 user addresses were affected, 4861 addresses have revoked authorization, and the remaining 3101 addresses have not yet revoked authorization. A total of 1889.6612 WETH and 833.4191 AVAX were stolen. the loss of WETH and AVAX is worth about $6.04 million at the price on January 18.

According to the analysis of the Slow Fog security team, the reason for this theft is that Multichain had a problem in checking the legitimacy of the Tokens passed in by users and failed to take into account that not all underlying tokens have implemented the permit function, resulting in the WETH of users who had prior authorization of WETH to the AnyswapV4Router contract being transferred to the attacker maliciously constructed addresses.

At the time Multichain officially released the vulnerability investigation report 912.7984 WETH and 125 AVAX had been recovered, representing nearly 50% of the total stolen funds. The team initiated a proposal to refund the stolen funds to users who have revoked their contract authorization, but no longer pay out for losses after 24:00 on February 18.

Related reading: "Slow Fog analyzes Multichain theft after the contract a function did not check the legitimacy of the user's incoming Token

QBridge: $80 million involved, only 2% payout

On January 28, 2022, QBridge, the cross-chain bridge of the lending protocol Qubit, was attacked with a loss of about $80 million.

The cause of this incident was that QBridge failed to double-check that it was a zero address when performing transfer operations on whitelisted tokens. In the case of a separate implementation of topping up ERC20 tokens and ETH, the call to the deposit function was supposed to be a transaction to deposit ERC20 tokens, and the hacker's deposit operation set the address of the ERC20 tokens to a zero address, minting a large number of xETH tokens on the BSC out of thin air without depositing any tokens. Using these xETH tokens as collateral, other tokens were borrowed from Qubit, resulting in the collateral in Qubit being depleted.

Qubit is now virtually unused, and the official website shows that 98% of the stolen funds have yet to be paid out.

Related reading: "Qubit Project QBridge Hacked: $80 Million Gone

Meter.io: $4.4 million involved, paid out with future earnings

On February 6, 2022, Meter Passport cross-chain bridge was maliciously exploited, causing a loss of $4.4 million.

Meter officials said the problem was a "faulty trust assumption" in the extended source code on Meter that allowed hackers to forge BNB and ETH transfers by "invoking the underlying ERC20 deposit function".

Meter first said it would compensate users for the loss of BNB and WETH with MTRG tokens. However, in a governance vote, it was decided to issue new PASS tokens to pay out to users and subsequently buy back PASS tokens with Meter's future earnings, but no buyback has been made yet.

Related reading: "Loss of heart and mind 'blows up bridge' again, cross-chain bridge project Meter.io loses $4.2 million"

Ronin: $620 million involved, paid out

On the evening of March 29, 2022, funds were stolen from the Ronin chain behind the blockchain game Axie Infinity. The theft occurred on March 23rd, but was not discovered until March 29th. The attack caused losses of approximately $620 million.

According to a Sky Mavis blog post and a report by The Block, the theft of Ronin points to a social engineering attack. An employee of a fake company contacted employees of Axie Infinity and Ronin developer Sky Mavis through Collage and encouraged them to apply for jobs, and one Sky Mavis employee received an "Offer" after multiple interviews. After downloading the forged "Offer" letter, the hacking software infiltrated Ronin's system and took over four of the nine verifiers in Ronin's network. The hackers then took control of Axie DAO through Sky Mavis, which had allowed Sky Mavis to sign various transactions on their behalf, and once the attackers had access to Sky Mavis, they were able to obtain signatures from the Axie DAO verifier.

Ronin's stolen funds were not recovered. on April 4, Sky Mavis announced the completion of a $150 million funding round led by Cryptocurrency to compensate users for their losses. on June 29, Sky Mavis announced that the Ronin bridge was back online and users could be compensated. However, the stolen funds were mainly ETH (including 173,600 ETH and 25.5 million USDC ), and the price of ETH dropped by about 2/3 during the period between the attack and the payout.

Related reading: "Review the whole process of transferring Ronin's stolen money: only about 1.8 ETH remained in the original attack wallet".

Wormhole: $326 million involved, paid out

On February 3, 2022, the cross-chain interoperability protocol Wormhole was hacked, losing about 120,000 ETH, worth about $326 million.

On February 5, Wormhole reported in response to the incident that the breach was caused by a bug in the signature verification code of the core Wormhole contract on the Solana side, which allowed attackers to forge messages from " guardian" message to cast whETH.

On February 4, Jump Crypto (which previously acquired Wormhole's development company Certus One) announced that it had invested 120,000 ETH in Wormhole to cover the loss of Wormhole, which was restored to operation.

Related reading: "Second largest DeFi hack in history" Wormhole lost about $320 million

EvoDeFi: Tens of millions of dollars expected to be involved, unprocessed

On June 7, 2022, USDT on Oasis eco-DEX ValleySwap was severely unanchored. ValleySwap had been the largest DEX on the Oasis chain with a TVL of up to $220 million. Defi Llama shows that there was a large outflow of funds on ValleySwap from June 4, with a TVL of $88.78 million on June 7, and the exact amount of loss is unknown and expected to be in the tens of millions of dollars range.

The reason for the de-anchoring of assets on ValleySwap is that the cross-chain bridge used, EVODeFi, is no longer liquid enough on the source chain. EVODeFi claims that the problem was caused by the FUD panic, but this reason obviously does not hold water. official Oasis personnel responded that EVODeFi has been alerted to the risk and that the Oasis network has no connection to ValleySwap and EvoDeFi, which is high-risk, unaudited, and not open source and decentralized. The cause of this incident may be that EVODeFi stole user assets through a backdoor.

There is no solution to the loss of users, and public chain Oasis is eager to get rid of its relationship with itself. The official Twitter feeds of both ValleySwap and EVODeFi stopped updating after June 8, which is approximately equivalent to running away.

Related reading: "USDT on Oasis eco-DEX ValleySwap has been severely de-anchored

Horizon: nearly $100 million involved, compensation plan in the works

On June 24, 2022, Harmony's official cross-chain bridge, Horizon, was attacked, causing a total of approximately $100 million in funding losses.

On June 26, Harmony founder Stephen Tse admitted that a "private key breach" may have caused the attack. The funds were stolen from the Ether and BNB chains, and the stolen assets included BUSD, USDC, ETH, WBTC and others. Previously, only 2 out of 5 multiple signatures were required to transfer funds between Ether and Horizon, and the number of signatures required was later modified to 4 out of 5.

Harmony had hoped to compensate users for (some of) their losses over a 3-year period by issuing additional ONE tokens, but this has not been agreed upon with the community. In a compensation proposal launched by the Harmony community on July 27, Stephen Tse said that he understood the community's concerns and would rework the compensation proposal.

Related reading: "CertiK: Nearly $100 Million in Skyrocketing Losses, Analysis of Harmony Cross-Chain Bridge Hack

Nomad: $190 million involved, processing underway

On August 2, 2022, liquidity was rapidly depleted in Nomad, which had a total of $190 million in liquidity prior to the security incident. The incident also resulted in the loss of approximately $3.34 million in Connext, another Layer2 interoperability protocol, when Connext routed approximately $3.34 million in madAssets held on the affected chain.

According to Paradigm researcher samczsun's analysis, the accident was caused by Nomad initializing the trusted root to 0x00 in a contract upgrade, resulting in anyone being able to use a valid transaction, replace the other party's address with their own, and then broadcast the transaction to withdraw funds from the cross-chain bridge.

According to the analysis of Eurotech Cloudchain, this attack involved 1251 ETH addresses, and the amount involved was about 190 million USD, including 12 ENS addresses, and ENS addresses accounted for about 38% of the total amount. The project side did not give an exact payout plan, and some white hat hackers have already expressed their willingness to return the funds.

Related reading: "Over $150 million loss, cross-chain bridge protocol Nomad hacking incident analysis

Summary

The number of cross-chain bridge security incidents is enough to keep us alert. The top three bridges Multichain, Portal (Wormhole) and Poly Network by liquidity have all had security incidents, indicating that cross-chain bridges belong to a high-risk area and any cross-chain bridge may have security problems again.

Relatively speaking, the better the background of the development team the more capital the cross-chain bridge has, the easier it is indeed to recover assets or be paid out by the project after a security incident, such as Poly Network, Ronin Network, Wormhole's huge amount of money was stolen and recovered, or paid out in full.

The team's real-time monitoring and proactive handling was effective, and both Hop Protocol and Stargate were quick to address reports of suspicious activity after receiving them, instantly sniping at hackers who failed to attack successfully.

There are hundreds of public chains in the blockchain world, yet the lack of mainstream assets requires the use of cross-chain bridges to access assets from public chains such as ethereum. Recently, DeFi security incidents have been frequent, and cross-chain bridges are heavily funded and frequently attacked. In the following article, PANews takes stock of 10 of the bigger attacks on cross-chain bridges in the past, and all development teams need security alarms ringing. Relatively speaking, the better the background of the development team, the more capital cross-chain bridge in the event of a security incident, it is indeed easier to retrieve assets or by the project side to pay out, so users choose a strong cross-chain bridge will be more secure.

ChainSwap: $8 million in funds involved, recoinage

On July 2 and July 11, 2021, ChainSwap was hacked twice, losing about $800,000 the first time and about $8 million the second time. The second attack was more extensive, with over 20 projects using ChainSwap for cross-chaining affected.

According to ChainSwap's investigation, the incident was due to the fact that the protocol did not strictly check the validity of signatures, and the attacker was able to use his own generated signature for transactions.

Since the loss was all of the project's governance tokens, several projects, including ChainSwap itself, decided to take a snapshot and issue new tokens to compensate token holders and LPs.

Related reading: "Cross-chain bridge project Chainswap hacked again, over 20 projects stolen

Poly Network: $610 million involved, recovered

On the evening of August 10, 2021, Poly Network, a cross-chain interoperability protocol, was hacked and lost $250 million, $270 million, and $85 million in assets on Ether, Coinan Smartchain, and Polygon, respectively, for a total loss of approximately $610 million.

The attack was mainly a problem with Poly Network's contract permission management logic. The attacker constructed an operation on the source chain to modify the target chain Keeper (relay chain verifier) to his own address; the official relay submitted the transaction unsuspectingly and executed the operation to replace the Keeper; the attacker signed the operation to transfer out the assets through the replaced Keeper address; the transaction passed the verification and was executed, and the assets were transferred to the hacker's address.

The attacker was prepared in advance to withdraw the coins after the initial funding source was the privacy token XMR, which was exchanged for BNB, ETH, and MATIC in exchanges that did not require KYC. But the hacker eventually returned all the funds, and Poly Network called him a "white hat" hacker and offered to hire him as the company's chief security advisor.

Related reading: "The biggest DeFi hack of the year: Poly Network attack process explained".

Multichain : $6 million involved, paid out

On January 18, 2022, Multichain stated that a critical vulnerability affecting six tokens - WETH, PERI, OMT, WBNB, MATIC, and AVAX - was discovered, and although the vulnerability has been fixed, users need to revoke authorization as soon as possible, or assets may still be at risk. One month later, Multichain officially released the investigation report of the vulnerability, a total of 7962 user addresses were affected, 4861 addresses have revoked authorization, and the remaining 3101 addresses have not yet revoked authorization. A total of 1889.6612 WETH and 833.4191 AVAX were stolen. the loss of WETH and AVAX is worth about $6.04 million at the price on January 18.

According to the analysis of the Slow Fog security team, the reason for this theft is that Multichain had a problem in checking the legitimacy of the Tokens passed in by users and failed to take into account that not all underlying tokens have implemented the permit function, resulting in the WETH of users who had prior authorization of WETH to the AnyswapV4Router contract being transferred to the attacker maliciously constructed addresses.

At the time Multichain officially released the vulnerability investigation report 912.7984 WETH and 125 AVAX had been recovered, representing nearly 50% of the total stolen funds. The team initiated a proposal to refund the stolen funds to users who have revoked their contract authorization, but no longer pay out for losses after 24:00 on February 18.

Related reading: "Slow Fog analyzes Multichain theft after the contract a function did not check the legitimacy of the user's incoming Token

QBridge: $80 million involved, only 2% payout

On January 28, 2022, QBridge, the cross-chain bridge of the lending protocol Qubit, was attacked with a loss of about $80 million.

The cause of this incident was that QBridge failed to double-check that it was a zero address when performing transfer operations on whitelisted tokens. In the case of a separate implementation of topping up ERC20 tokens and ETH, the call to the deposit function was supposed to be a transaction to deposit ERC20 tokens, and the hacker's deposit operation set the address of the ERC20 tokens to a zero address, minting a large number of xETH tokens on the BSC out of thin air without depositing any tokens. Using these xETH tokens as collateral, other tokens were borrowed from Qubit, resulting in the collateral in Qubit being depleted.

Qubit is now virtually unused, and the official website shows that 98% of the stolen funds have yet to be paid out.

Related reading: "Qubit Project QBridge Hacked: $80 Million Gone

Meter.io: $4.4 million involved, paid out with future earnings

On February 6, 2022, Meter Passport cross-chain bridge was maliciously exploited, causing a loss of $4.4 million.

Meter officials said the problem was a "faulty trust assumption" in the extended source code on Meter that allowed hackers to forge BNB and ETH transfers by "invoking the underlying ERC20 deposit function".

Meter first said it would compensate users for the loss of BNB and WETH with MTRG tokens. However, in a governance vote, it was decided to issue new PASS tokens to pay out to users and subsequently buy back PASS tokens with Meter's future earnings, but no buyback has been made yet.

Related reading: "Loss of heart and mind 'blows up bridge' again, cross-chain bridge project Meter.io loses $4.2 million"

Ronin: $620 million involved, paid out

On the evening of March 29, 2022, funds were stolen from the Ronin chain behind the blockchain game Axie Infinity. The theft occurred on March 23rd, but was not discovered until March 29th. The attack caused losses of approximately $620 million.

According to a Sky Mavis blog post and a report by The Block, the theft of Ronin points to a social engineering attack. An employee of a fake company contacted employees of Axie Infinity and Ronin developer Sky Mavis through Collage and encouraged them to apply for jobs, and one Sky Mavis employee received an "Offer" after multiple interviews. After downloading the forged "Offer" letter, the hacking software infiltrated Ronin's system and took over four of the nine verifiers in Ronin's network. The hackers then took control of Axie DAO through Sky Mavis, which had allowed Sky Mavis to sign various transactions on their behalf, and once the attackers had access to Sky Mavis, they were able to obtain signatures from the Axie DAO verifier.

Ronin's stolen funds were not recovered. on April 4, Sky Mavis announced the completion of a $150 million funding round led by Cryptocurrency to compensate users for their losses. on June 29, Sky Mavis announced that the Ronin bridge was back online and users could be compensated. However, the stolen funds were mainly ETH (including 173,600 ETH and 25.5 million USDC ), and the price of ETH dropped by about 2/3 during the period between the attack and the payout.

Related reading: "Review the whole process of transferring Ronin's stolen money: only about 1.8 ETH remained in the original attack wallet".

Wormhole: $326 million involved, paid out

On February 3, 2022, the cross-chain interoperability protocol Wormhole was hacked, losing about 120,000 ETH, worth about $326 million.

On February 5, Wormhole reported in response to the incident that the breach was caused by a bug in the signature verification code of the core Wormhole contract on the Solana side, which allowed attackers to forge messages from " guardian" message to cast whETH.

On February 4, Jump Crypto (which previously acquired Wormhole's development company Certus One) announced that it had invested 120,000 ETH in Wormhole to cover the loss of Wormhole, which was restored to operation.

Related reading: "Second largest DeFi hack in history" Wormhole lost about $320 million

EvoDeFi: Tens of millions of dollars expected to be involved, unprocessed

On June 7, 2022, USDT on Oasis eco-DEX ValleySwap was severely unanchored. ValleySwap had been the largest DEX on the Oasis chain with a TVL of up to $220 million. Defi Llama shows that there was a large outflow of funds on ValleySwap from June 4, with a TVL of $88.78 million on June 7, and the exact amount of loss is unknown and expected to be in the tens of millions of dollars range.

The reason for the de-anchoring of assets on ValleySwap is that the cross-chain bridge used, EVODeFi, is no longer liquid enough on the source chain. EVODeFi claims that the problem was caused by the FUD panic, but this reason obviously does not hold water. official Oasis personnel responded that EVODeFi has been alerted to the risk and that the Oasis network has no connection to ValleySwap and EvoDeFi, which is high-risk, unaudited, and not open source and decentralized. The cause of this incident may be that EVODeFi stole user assets through a backdoor.

There is no solution to the loss of users, and public chain Oasis is eager to get rid of its relationship with itself. The official Twitter feeds of both ValleySwap and EVODeFi stopped updating after June 8, which is approximately equivalent to running away.

Related reading: "USDT on Oasis eco-DEX ValleySwap has been severely de-anchored

Horizon: nearly $100 million involved, compensation plan in the works

On June 24, 2022, Harmony's official cross-chain bridge, Horizon, was attacked, causing a total of approximately $100 million in funding losses.

On June 26, Harmony founder Stephen Tse admitted that a "private key breach" may have caused the attack. The funds were stolen from the Ether and BNB chains, and the stolen assets included BUSD, USDC, ETH, WBTC and others. Previously, only 2 out of 5 multiple signatures were required to transfer funds between Ether and Horizon, and the number of signatures required was later modified to 4 out of 5.

Harmony had hoped to compensate users for (some of) their losses over a 3-year period by issuing additional ONE tokens, but this has not been agreed upon with the community. In a compensation proposal launched by the Harmony community on July 27, Stephen Tse said that he understood the community's concerns and would rework the compensation proposal.

Related reading: "CertiK: Nearly $100 Million in Skyrocketing Losses, Analysis of Harmony Cross-Chain Bridge Hack

Nomad: $190 million involved, processing underway

On August 2, 2022, liquidity was rapidly depleted in Nomad, which had a total of $190 million in liquidity prior to the security incident. The incident also resulted in the loss of approximately $3.34 million in Connext, another Layer2 interoperability protocol, when Connext routed approximately $3.34 million in madAssets held on the affected chain.

According to Paradigm researcher samczsun's analysis, the accident was caused by Nomad initializing the trusted root to 0x00 in a contract upgrade, resulting in anyone being able to use a valid transaction, replace the other party's address with their own, and then broadcast the transaction to withdraw funds from the cross-chain bridge.

According to the analysis of Eurotech Cloudchain, this attack involved 1251 ETH addresses, and the amount involved was about 190 million USD, including 12 ENS addresses, and ENS addresses accounted for about 38% of the total amount. The project side did not give an exact payout plan, and some white hat hackers have already expressed their willingness to return the funds.

Related reading: "Over $150 million loss, cross-chain bridge protocol Nomad hacking incident analysis

Summary

The number of cross-chain bridge security incidents is enough to keep us alert. The top three bridges Multichain, Portal (Wormhole) and Poly Network by liquidity have all had security incidents, indicating that cross-chain bridges belong to a high-risk area and any cross-chain bridge may have security problems again.

Relatively speaking, the better the background of the development team the more capital the cross-chain bridge has, the easier it is indeed to recover assets or be paid out by the project after a security incident, such as Poly Network, Ronin Network, Wormhole's huge amount of money was stolen and recovered, or paid out in full.

The team's real-time monitoring and proactive handling was effective, and both Hop Protocol and Stargate were quick to address reports of suspicious activity after receiving them, instantly sniping at hackers who failed to attack successfully.