On January 7, 2022, Ethereum founder, Vitalik Buterin warned about the security of cross-chain bridge. Vitalik argues that connecting cross-chain assets is not as secure as in a blockchain.
The million-dollar hacks happened as a clear demonstration of Vitalik Buterin’s argument. What is the future of cross-chain bridges? Is it time to abandon the idea of connecting blockchains by bridges?
Crosschain bridge/blockchain bridge is a protocol that allows users to transfer assets from one blockchain to another.
>>> Related: What is blockchain bridge?
Security risks of cross-chain bridge
The safety of the asset transfer between blockchains is not guaranteed. In fact, no one can actually transfer or connect an asset to another blockchain. Instead, assets are deposited, locked, or burned on one chain which is then credited, unlocked, or minted on the second chain.
Besides, blockchains cannot access off-chain information. Instead, the intermediary oracle will confirm the accuracy of off-chain information and aggregate the data for on-chain use.
Users must put their trust in bridges: first trust in oracle data, then trust in custodians.
Typically, cross-chain bridges work by sending an asset to a custodian and receiving a wrapped version of that asset from the custodian on the second blockchain. The user must trust the custodian to secure the original asset and return the wrapped asset.
Sometimes, the custodian can be a decentralized autonomous organization DAO or a smart contract. In any case – whether it’s a DAO or a blockchain security company like BitGo, bridges need a lot of trust from users.
The next belief is about convertibility and comparable pricing. It is not enough to receive assets. Users must continue to trust that they will be able to receive assets of equal value in return. An original asset must be exchanged for a wrapped asset. Therefore, users can face the risk of parity.
Assets from cross-chain bridge must at least maintain parity with the original asset. Therefore, users not only put their trust in the process of implementing cross-chain bridges at the time of swapping assets, but also expect usability of a wrapped asset in the future.
In general, all security risks of an asset will increase exponentially through bridge intermediaries.
Are you worried about the Tether company not being able to exchange one USDT for $1? In particular, when the USDT cross-chain bridge connects to a blockchain that is not supported by Tether, the risk is increased by storage parties, smart contracts, liquidity, price parity.
On top of that, the issue is whether cross-chain bridges collapse when users withdraw assets.
Blockchain bridge hacks have occurred
Cross-chain bridges are like wormholes that transport matter through space, but they form spontaneously.
In fact, Wormhole was once the largest-cap cross-chain bridge, connecting the blockchains of Ethereum and Solana. Like other cross-chain bridge protocols, Wormhole has been hacked. Below is a list of protocols that have been exploited and attacked by hackers.
Attackers stole $3 million in a Multichain cross-chain bridge exploit on January 19, 2022.
When Multichain made its first announcement, users questioned the security of the asset. That alerts users to withdraw WETH, MATIC, AVAX, PERI, OMT, and WBNB tokens from affected smart contracts on the platform.
Later, Multichain said an attacker returned 259 stolen ETH. Tether froze USDT on addresses linked to the exploit.
Qubit Finance lost 206,809 BNB ($80 million) in the QBridge exploit on January 27, 2022. The project has built its protocol on Binance Chain.
The exploit generated 77,162 qXETH that the attackers can exchange for BNB tokens. Qubit offered to negotiate with the attacker to get the money back.
— Qubit Finance (@QubitFin) January 28, 2022
The attackers created 120,000 wrapped ETH on Solana’s blockchain using Wormhole bridge on February 2, 2022. They created a spoofed signature account to validate transactions.
A Paradigm researcher reverse engineered the attack and determined that Wormhole was unable to implement a protocol with greater validation for its guardian signatures.
tl;dr – Wormhole didn't properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.
— samczsun (@samczsun) February 3, 2022
Meter.io’s Meter Passport exploit
Meter.io’s Meter Passport bridge lost $4.4 million in one operation on February 5, 2022. The exploit targets the Moonriver smart contract platform on Polkadot’s Kusama network. Attackers stole BNB and wrapped ETH, then sold BNB on Decentralized exchange UniSwap.
This exploit caused BNB price to plummet, allowing other individuals to buy BNB at a low price and use BNB as collateral for loans on platforms like Hundred Crisis. The loans had an impact on the supply of affected lending applications.
1. Around 6am Pacific time we identified someone was able to leverage a vulnerability of the bridge to mint a large amount of BNB and WETH tokens and depleted the bridge reserve for BNB on WETH.
— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022
Attackers stole 173,600 ETH and 25.5 million USDC (about $600 million) from Ronin bridge on March 29, 2022. This exploit involves gaining access to the private keys of validator nodes. Ronin developers have halted deposits and withdrawals until investigative agencies determined the issue.
The developers built Ethereum’s Ronin Sidechain Axie Infinity game to save fees. However, that has caused them to suffer a security breach.
You cannot make this up
Hacker steals $600MM in ETH from Ronin blockchain the one underlying Axie
Hacker then goes short Ronin & AXS (Axie token) knowing as soon as news breaks that tokens will plummet
But NO ONE notices and they get liquidated on short before news breaks
— Eric Golden 🍌🦇🔊 (@ericgoldenx) March 29, 2022
WonderHero discovered cross-chain bridge exploit on April 7, 2022, when the value of native WND token unexpectedly plummeted by 50%. WonderHero lost $300,000 in WND tokens in the attack.
WonderHero has suspended the website, games, bridges, deposits and withdrawals during the investigation. After that, WonderHero rebooted the game system, markets and profits. WonderHero has posted an analysis confirming that the Binance bridge has been hacked.
Tap into Harmony One’s Horizon
Harmony One’s Horizon lost $100 million in an exploit on June 23, 2022. The team is working with law enforcement agencies and legal experts to investigate the exploit.
The wallet address used to receive the stolen funds is called “Horizon Bridge Exploiter” on Etherscan.
Horizon Bridge Exploiter currently holds just over $93,000 in cryptocurrency.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
ChainSwap lost 20 million WILD tokens in one exploit on July 10, 2022. Wilder World uses WILD as the native token. A Twitter user who is a member of Wilder World discovered the ChainSwap exploit on 2022-07-10.
This exploit also affects Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank and Unifarm tokens.
ChainSwap froze the Ethereum-Binance Smart Chain cross-chain bridge during its investigation. ChainSwap had previously exploited $800,000 on July 2 and has managed to recoup some of losses in this attack.
>>> Related: Guide to sign up for Binance update 2022
Attackers stole $190 million in tokens by exploiting a vulnerability in Nomad’s smart contract on August 2, 2022. When smart contract exploiting method became public, a mass attack steals a significant amount of assets.
Andressen Horowitz’s CISO suggested that some of the attackers may have been white hat hackers aiming to keep money out of the hands of nefarious actors.
Nomad is working with law enforcement and private security companies to investigate and thank white hat hackers for taking initiatives to protect the fund.
Bridges help move users’ assets from one blockchain to another, this demand will surely increase in the future.
Due to spontaneity and many vulnerabilities, blockchain bridges have been lucrative targets of hackers.
New solutions like Cosmos Network (ATOM ) and Stargate Finance (STG) aim to solve that problem. However, the feasibility of the project still needs more time to earn proof.