A Timeline and History of Recent Cross-Chain Bridge Attacks | Analog Insights

  • A Timeline and History of Recent Cross-Chain Bridge Attacks
  • Nexus between cross-chain bridges and security
  • Major bridge exploits in 2022
  • Conclusion
Linkedintwitter
TABLE OF CONTENTS

Blockchain ecosystems are not merely communication and storage protocols. Each chain has a history, culture, and community worth protecting. For example, some communities are more focused on maximizing raw computational power or storage capacities. Others are working hard to create “sound money” alternatives to current fiat currencies.

As the blockchain sector continues to grow, it has become more evident that the future of blockchain is multi-chain. Not to be confused with “Multichain” or cross-chain router, a multi-chain future is an ecosystem where we have multiple blockchains thriving while being interoperable with each other.

As the blockchain sector continues to grow, it has become more evident that the future of blockchain is multi-chain. Not to be confused with “Multichain” or cross-chain router, a multi-chain future is an ecosystem where we have multiple blockchains thriving while being interoperable with each other.

Clearly, the need for an easy way to transfer assets between various disparate blockchains in a multi-chain ecosystem has become more critical than ever. That is where cross-chain bridges come in. By allowing disparate blockchains to interact, cross-chain bridges enable the transfer of value from one network to another. In this regard, bridges have become an essential feature of Web3, especially in DeFi.

According to DeFi Llama, the total value locked (TVL) across all DeFi-based applications was estimated at 200 billion USD in January 2022 compared to 20 billion USD in January 2021. This represented a whooping ten times increase in TVL within one year. The amount of value locked and bridged in these DeFi-based applications has lured the attention of hackers, with the latest trend showing an increase in cross-chain bridge attacks.

According to the Rekt database, over 1.2 billion USD in cryptocurrency assets were stolen in Q1 2022 alone. This represents 36% of all-time stolen crypto assets, according to the same source. Similarly, Chainalysis — a blockchain analytics company — estimates that up to 2 billion USD worth of crypto has been stolen from cross-chain bridges in 2022.

Because of the recent hacks associated with cross-chain bridges, there is a growing concern over their widespread use in Web3. With hacks on these bridges costing users millions of US dollars, their functionality deserves an analysis.

Nexus between cross-chain bridges and security

Akin to traditional bridges, cross-chain bridges are protocols that enable two disparate networks to interoperate, allowing assets and information to move from one chain to another. With bridges, cryptocurrencies and non-fungible tokens (NFTs) do not necessarily need to be siloed within their native blockchain ecosystems. Instead, the assets can be “bridged” across different blockchain ecosystems, multiplying the options for their use on different networks.

For example, a bridge can allow you to use Bitcoin (BTC) in smart contract-based platforms, such as Ethereum or Avalanche, for DeFi purposes.

To bridge assets across heterogeneous chains, you need to deploy a smart contract on both the source and the destination chain. The majority of today’s bridges rely on a simple “lock and mint” mechanism where assets are locked in a smart contract in the source chain before being minted as a wrapped version or intermediate token on the destination chain.

For example, suppose you have 10 BTC but need to participate in a DeFi-based program, such as staking on Ethereum. You will need to deposit your 10 BTC to the bridge’s address on the Bitcoin network. Once there is proof that you have deposited, i.e., locked 10 BTC on the Bitcoin network, the bridge protocol proceeds to mint 10 wrapped bitcoins (wBTC) on the Ethereum chain.

Because the newly minted tokens, wBTC, are compatible with the Ethereum chain, you can use them however you like on that platform. However, you will need to burn wBTC on the Ethereum network to withdraw the locked BTC. Once wBTC has been burned, the bridge unlocks the bitcoins you deposited earlier and sends them to your wallet address.

From a security viewpoint, we can classify bridges into two broad categories: trusted and trustless. As the name suggests, trusted bridges are protocols that rely on trusted third parties to validate transactions between the source and the destination chains. More importantly, these bridges act as custodians of the bridged assets. Examples of such bridges include the Binance Bridge, Harmony Bridge, and WBTC Bridge.

Because users have to place trust in a centralized custodian, trusted bridges negate the security benefits of decentralization. So far, the pools of locked tokens on the smart contract bridge represent a honey pot for any attacker. When compromised, the value of unbacked intermediate tokens on the destination chain is lost.

Trustless bridges, on the other hand, are protocols that solely rely on smart contracts and algorithms to custody assets. Because they do not require trusted intermediaries to custody the assets, they are considered more secure than trusted bridges. Polkadot’s Snowbridge, Celer, and Cosmos IBC are some examples of trustless bridges.

Although trustless bridges eliminate the risks associated with centralization, bugs and other programming constraints present risky situations that hackers can easily exploit to attack the protocol. For example, virtually every developer uses some third-party, open-source libraries to build their DApps, with millions sharing their tools with other developers and leveraging existing modules to accelerate code development. However, using someone’s library means trusting the developers behind that code.

Any malicious hacker can compromise these third-party libraries and insert a malicious payload on the bridge’s smart contract. Once the source code has been compromised, the attacker could launch attacks.

In addition, hackers are getting more sophisticated in their attacks as users, and the value of crypto assets keeps increasing. For example, traditional cybersecurity attacks like phishing and social engineering are increasingly being adopted in Web3 to target both centralized and decentralized protocols.

Analog's Public Testnet

Be among the first to experience Analog’s Timechain and the tools that power up the next generation of omnichain DApps.

Major bridge exploits in 2022

Bridge attacks have been getting worse and worse, with no solutions in sight. Below are some of the top 6 bridge hacks that we have witnessed in 2022:

  • Ronin Network — 620 million USD lossRonin network is an Ethereum-linked sidechain designed for blockchain games such as Axie Infinity. In March 2022, the platform was defrauded for over 620 million USD in ETH and USDC in March 2022. The hacker used the hacked private keys to make fraudulent withdrawals from the Ronin bridge smart contract in two transactions.

    The attacker used hacked private keys to make fraudulent withdrawals from the Ronin bridge contract in two transactions. This attack, which occurred on March 23, was only discovered a week later when one of its users failed to withdraw 5,000 ETH. Ronin attack is considered one of the largest DeFi hacks in history and remains the biggest in 2022.

  • BSC Bridge — 568 million USD lossOn October 7, 2022, the BNB bridge, which serves as a cross-chain hub that facilitates the transfer of assets between the BNB Beacon Chain (BEP2) and Binance Smart Chain (BEP 20), was hacked for over 568 million USD. The hacker fraudulently issued 2 million BNB, worth approximately 568 million USD on October 6 from the BSC address in two transactions of 1 million BNB each.

    After issuing the transaction, the hacker forged arbitrary messages on block height 110217401, enabling the creation and subsequent withdrawal of 2 million BNB. However, through quick actions taken by network validators, only 137 million USD managed to be transferred, with the rest being frozen on BSC.

  • Wormhole Bridge — 320 million USD lossWormhole is a cross-chain bridge that connects Solana and other top DeFi networks, such as Ethereum and Avalanche. In February 2022, a hacker siphoned over 320 million USD in wrapped ETH (wETH) out of the protocol.

    According to Elliptic — an analytics firm — the hacker exploited the protocol’s failure to validate the “guardian” accounts, allowing the attacker to mint 120,000 wETH with no corresponding ETH backing on the Ethereum network. The attacker then exchanged 93,750 wETH for ETH and the rest for SOL on Solana.

  • Nomad Bridge — 190 million USD lossNomad is a cross-chain bridge that leverages both on-chain and off-chain network components and supports Ethereum, Moonbeam, and other chains. In August 2022, attackers drained approximately 190 million USD from the protocol. The hackers exploited a faulty section of the smart contract to withdraw more assets than those deposited as collateral on the platform.

  • Horizon Bridge — 100 million USD lossHorizon is a cross-chain bridge that facilitates asset transfers between different networks, including Ethereum (ETH), Bitcoin (BTC), BSC (BNB), and Harmony blockchain. In June 2022, hackers siphoned more than 100 million USD worth of ETH, BTC, and BNB off the Harmony-managed platform. Apparently, the attackers used hacked private keys from over 5,000 user wallets to create fraudulent withdrawals in different tokens.

  • QBridge — 80 million USD lossQBridge is a Qubit’s cross-chain bridge that allows users to swap ETH for BNB. It allows users to deposit wETH from the Ethereum mainnet to Qubit’s BSC-powered smart contract, enabling them to mint xETH that can serve as collateral for borrowing on BSC. In January 2022, a malicious actor exploited the protocol to mint nearly 80 million USD of xETH tokens on the BSC platform. The attacker tricked the BSC platform into thinking they had deposited wETH; however, they traded the wrapped assets for BNB tokens and disappeared.

Conclusion

The recent bridge exploits are a painful reminder of the need for a secure, interoperable infrastructure that can allow value to be moved seamlessly between heterogeneous chains. There are three ways the blockchain sector can move away from these hacks. The first is decentralizing the interoperability layer. The layer should not have any barriers to entry. Unfortunately, current protocols such as proof-of-work (PoW) or proof-of-stake (PoS) don’t provide this feature.

Second, the gateway smart contracts need to be thoroughly audited by multiple highly reputable auditors. Users should also check the audit reports to verify if the detected issues have actually been resolved, not simply acknowledged. Third, users should check whether the bridge has a bug bounty program. Bounty programs can help incentivize white hat hackers and the general community to review the source code and disclose any vulnerabilities before bad actors exploit them.

At Analog, we are building a secure omnichain interoperable infrastructure that combines exemplary architecture, engineering, and processes. Analog’s omnichain interoperability security is powered by the following:

  • Robust threshold signature schemes (TSS) that enforce security policies, such as leaderless key generation and mandatory key rotations.

  • A novel proof-of-time (PoT) with decentralization as its core underlying principle.

  • Novel tokenomics design with appropriate incentives and disincentive mechanisms.

  • Fraud proofs that enable the mitigation of malicious validators and interconnected chains with a dishonest majority.

Subscribe to our blog

You Might Also Enjoy

5 Cross-chain DeFi Use Cases Unveiled: Analog’s General Message Passing Protocol

Analog’s General Message Passing (GMP) protocol is a composable cross-chain communication platform that allows developers to transfer messages (data) and value...

Read more rightArrow

Introduction To Cross-Chain Smart Contract Execution Calls | Analog Insights

Cross-chain smart contract call is an interoperability feature that enables one smart contract or decentralized application (DApp) on one chain, say Ethereum, to invoke actions on another blockchain…

Read more rightArrow

NFTs Cross-Chain? What Are the Possibilities?

In August 2023, y00ts — a popular Non-Fungible Token(NFT) project that initially debuted on Solana — announced that it would soon be migrating from Polygon to Ethereum. DeLabs (the company behind y00ts) promised to return a 3-million-USD grant that it had received from Polygon Labs to support the migration of its NFTs from Solana to Polygon.

Read more rightArrow

5 Cross-chain DeFi Use Cases Unveiled: Analog’s General Message Passing Protocol

Analog’s General Message Passing (GMP) protocol is a composable cross-chain communication platform that allows developers to transfer messages (data) and value...

Read more rightArrow

Introduction To Cross-Chain Smart Contract Execution Calls | Analog Insights

Cross-chain smart contract call is an interoperability feature that enables one smart contract or decentralized application (DApp) on one chain, say Ethereum, to invoke actions on another blockchain…

Read more rightArrow

NFTs Cross-Chain? What Are the Possibilities?

In August 2023, y00ts — a popular Non-Fungible Token(NFT) project that initially debuted on Solana — announced that it would soon be migrating from Polygon to Ethereum. DeLabs (the company behind y00ts) promised to return a 3-million-USD grant that it had received from Polygon Labs to support the migration of its NFTs from Solana to Polygon.

Read more rightArrow
Contact Us
Go to Top