Crypto bridges are a vital component of the decentralized finance (DeFi) ecosystem, providing seamless interoperability between different blockchain networks. With crypto bridges, users can easily transfer assets between chains, unlocking the full potential of DeFi and unlocking new opportunities for growth and innovation. Naturally, this makes them a tempting target for hackers and the Web3 industry has already seen a number of high-profile bridge hacks.
According to DefiLlama, since June 2016 some $2.5 billion have been stolen in bridge hacks. What’s encouraging, though, is that the crypto bridge community continues to push forward, learning from past mistakes and working to improve the security and reliability of these important systems.
Today we are going to review several of the biggest bridge hacks to examine what went wrong and how the bridges recovered from the attacks.
Biggest bridge hacks
First on our list is the Ronin hack, which saw a hacker employing social engineering tactics to steal hundreds of millions worth of dollars in tokens from the Ronin Bridge. Built by Axie Infinity developer Sky Mavis, the bridge connects the Ronin Network – an EVM-based sidechain used by Axie Infinity – to Ethereum.
On the 23rd of March 2022 through social engineering, hackers managed to compromise the private keys of the validators and exploit the bridge to steal 173.6K ETH and 25.5M USDC tokens, worth more than $600 million at the time. A LinkedIn recruiter approached engineers working for Axie Infinity about a lucrative job opportunity. Most of them ignored it but one senior engineer went through several interviews and got offered the position. However, neither the company was real nor the job – it was a setup. The engineer then downloaded a pdf file containing information about the compensation package but unfortunately, the file was spyware. The hacker then gained access to four out of nine validators. That was still not enough to make the exploit possible, since for an attack to be successful, it has to gain control over more than 50% of bridge validators.. The last piece of the puzzle was that Axie DAO had given access to Sky Mavis to sign on its behalf to deal with high user volume but it never revoked it afterward, leaving a potential backdoor.
It is suspected that the North Korean hacking group “Lazarus” was responsible for the exploit. Quickly after the attack, the hackers attempted to profit from the hack by short selling Axie Infinity (AXS) and Ronin (RON) in anticipation of the news causing a decrease in the tokens’ prices. However, their positions were liquidated before the news became public. Though cashing out the stolen funds proved difficult, as exchanges had blocked their wallets, they were still able to successfully extract roughly $200 millions.
A couple of months after the exploit the bridge restarted work. The number of validators was increased to make the bridge more decentralized and all the validators needed to update their software.
Binance Bridge is a bridge service that provides access to inter-blockchain liquidity for BNB Chain, BNB Smart Chain – previously called Binance Chain and Binance Smart Chain, respectively – and Ethereum.
On the 6th of October 2022, hackers managed to exploit a proof verifier bug in the bridge and drain $570M (2 million BNB tokens). The first step for the hacker was to register as a relayer for the BSC Token Hub by providing 100 BNB tokens. The Token Hub acts as a vault and facilitates cross-chain transactions between the Binance Smart Chain and the BNB Beacon Chain. By registering as a relayer for BSC Cross-Chain Bridge, the attacker’s relaying requests could be accepted by BSC, allowing the attacker to exploit a bug in the method BSC Token Hub used for proof verification. The exploit was possible due to the wrong utilization of the iavl library used for Merke proof verifications.
The bridge suspended all of the 44 validators temporarily to limit the damage and an urgent patch was introduced to fix the issue. Around $137M were moved to other chains, while the rest were frozen on the BSC. Most of the funds were laundered using Venus and Geist and the rest through Uniswap, PancakeSwap, Curve Finance and Platypus Finance by putting the stolen BNB as collateral to borrow various stablecoins.
Wormhole is a bridge between Ethereum and Solana which helps the users benefit from Solana’s high speed and low cost.
On the 2nd of February 2022, the Wormhole bridge was hacked for $236M worth of tokens (ETH, USDC and SOL). The attacker was able to bypass the signature verification by exploiting a deprecated and insecure function in the code. The hacker then was able to mint 120K ETH . The attack came after a change in the code was pushed to the GitHub repository by a developer on the same date.
The vulnerability was immediately patched and the bridge resumed work the next day. Jump Crypto provided 120K ETH to Wormhole to cover the losses. The name of the bridge was renamed to Portal Token Bridge while Wormhole remains the name of the underlying protocol.
Nomad is an optimistic interoperability protocol that enables secure cross-chain communication. There are no validators, and there is no blockchain. They are deployed as smart contracts between two chains and have a lightweight off-chain component. This allows them to have less overhead and be more cost-efficient than other interoperability protocols.
On the 2nd of August 2022, the Nomad Bridge was exploited for over $190 million in WETH and USDC and the hack was possible due to a trusted root exploit. The detection of the incident was made through the observation of a series of transactions that took place on the Nomad Bridge connecting the Moonbeam and Ethereum networks. When 0.01 WBTC was sent from Moonbeam to the bridge, 100 WBTC was released on the Ethereum network. In an effort to improve the protocol, Nomad chose to set the value of trusted roots to 0x00. While this is a common approach, it also coincides with the value of an untrusted root, leading all messages to be automatically deemed verified. Once users found out about the problem, it was rapidly taken advantage of through a series of transactions. Even those who were not familiar with the technicalities of the situation were able to exploit it by simply copying a successful exploit transaction and replacing the wallet address with their own.
The Nomad team requested that users who had obtained funds return them and retain 10% of the returned amount. Some of the stolen funds were successfully retrieved, with $32 million already returned by these so-called “white hat” hackers. The total value locked (TVL) in the bridge was $190 million prior to the exploit, which resulted in almost the entire amount being drained.
Harmony’s Horizon bridge provides a trustless way for its users to move crypto assets between the Harmony, BNB Smart Chain and the Ethereum blockchains.
On the 23rd of June 2022, Horizon bridge was exploited for $100M after their private keys were compromised.
Like other cross-chain bridges, the Harmony Horizon Bridge had a validation process in place to approve transactions that are being transferred across the bridge. The approval process in this case used a multi-signature system with five validators. However, the bridge was only using a 2-of-5 validation scheme, which means that only two blockchain accounts needed to be compromised for an attacker to approve any malicious transaction of their choosing. The exploitation of the Harmony Horizon Bridge occurred through the theft of two private keys. It is still unknown how the attackers got access to the keys. These private keys were protected by both a passphrase and a key management service, and there was no system that had access to multiple plaintext keys. With control of two of the bridge’s private keys, the attacker could create a transaction that transferred $100 million from the bridge and confirm and approve it using the two accounts under their control.
The attacker then used Tornado Cash to hide the transaction trails and launder the stolen tokens. The hack again has been linked to the North Korean hacking group “Lazarus”.
Since the attack, the multi-signature scheme of the bridge has been updated to require approval by 4 of the 5 validators and also Harmony Protocol offered a $1M bounty for the return of the bridge funds.
Successful cyber attacks and high-profile hacks put the importance of bridge security into sharp relief. Blockchain bridges constitute a crucial piece of cross-chain infrastructure and blockchain bridge development demands utmost commitment, technical expertise and knowledge. Fortunately, with Web3 developers already stepping up their game and taking extra care to make sure that bridges are sufficiently decentralized and underpinned by secure and well-optimized smart contracts, the industry is getting much more capable of fending off such attacks.