On January 7, 2022, Ethereum co-founder Vitalik Buterin warned about the security of cross-chain bridges. He argued that the connection of cross-chain assets is not secured as in a blockchain. The million-dollar hacks happened as a clear demonstration of Vitalik Buterin's argument. So, where does the future of cross-chain bridges go? Is it time to abandon the idea of connecting blockchains with bridges?
>>> See also: What is blockchain bridge?
Security risks of cross-chain bridges
The safety of the transfer of assets between blockchains is not guaranteed. In fact, no one can actually transfer or connect an asset to another blockchain. Instead, assets are deposited, locked, or burned on one chain which is then credited, unlocked, or minted on the second chain.
Besides, blockchains cannot access off-chain information. No blockchain can verify on its own that any multi-blockchain asset is a bridge. Instead, the intermediary oracle will confirm the accuracy of the off-chain information and interpret the data for on-chain use. However, users must put trust in the process of implementing cross-chain bridges: first trust in oracle data, followed by trust in the host. Typically, cross-chain bridges work by sending an asset to a storage party and receiving a wrapped version of that asset from the host on the second blockchain. The user must trust the custodian to secure the original asset and return the wrapped asset. Sometimes, the host party can be a decentralized autonomous organization DAO or a smart contract. In any case – whether it's a DAO or a blockchain security company like BitGo, bridges need a lot of trust from users. The next belief is about convertibility and comparable pricing. It is not enough to receive assets. Users must continue to trust that they will be able to receive assets of equal value in return. An original asset must be exchanged for a wrapped asset. Therefore, users can face the risk of parity. Assets from cross-chain bridges must at least maintain parity with the original asset. Therefore, users not only put their trust in the process of implementing cross-chain bridges at the time of swapping assets, but also expect the use of a wrapped asset in the future. In general, all security risks of an asset will increase exponentially through bridge intermediaries. Worried about Tether Limited not being able to exchange one USDT for $1? In particular, when a USDT cross-chain bridge connects to a blockchain that is not supported by Tether Limited, the risk is increased by storage parties, smart contracts, liquidity, equivalent prices. On top of that, the question is whether the cross-chain bridge collapses when you need to withdraw assets.
Cross-chain bridge exploits
Cross-chain bridges are like wormholes that transport matter through space, but they form and destroy spontaneously. In fact, Wormhole is the name of the largest cross-chain bridge protocol in the world, connecting ethereum and Solana's blockchains. Like other cross-chain bridge protocols, Wormhole has been hacked. Below is a list of protocols that have been exploited and attacked by hackers.
Attackers stole $3 million in a Multichain cross-chain bridge mining on January 19, 2022. When Multichain made its first announcement, users questioned the security of the asset. That alerts users to withdraw WETH, MATIC, AVAX, PERI, OMT, and WBNB tokens from affected smart contracts on the platform. Later, Multichain said an attacker returned 259 stolen ETH. Tether freezes USDT on addresses associated with mining.
Qubit Finance lost 206,809 BNB ($80 million) in the QBridge mining on January 27, 2022. The project has built its protocol on Binance Chain. The scam generated 77,162 qXETH that the attackers exchanged for BNB tokens. Qubit offers to negotiate with the attacker to get the money back. https://twitter.com/QubitFin/status/1486984216072318977?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1486984216072318977%7Ctwgr%5Ecc9bf91aca4885159b97f8b9c6dc20c5115106dc%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fprotos.com%2Fexplained-why-hackers-keep-exploiting-cross-blockchain-bridges%2F
The attackers created 120,000 wrapped ETH on Solana's blockchain using the Wormhole bridge on February 2, 2022. They created a fake signature account to validate transactions. A Paradigm researcher reverse engineered the attack and determined that Wormhole was unable to implement a protocol with greater authentication for its guardian signatures. https://twitter.com/samczsun/status/1489044999211823107?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1489044999211823107%7Ctwgr%5Ecc9bf91aca4885159b97f8b9c6dc20c5115106dc%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fprotos.com%2Fexplained-why-hackers-keep-exploiting-cross-blockchain-bridges%2F
Tap Meter.io's Meter Passport
Meter.io's Meter Passport bridge lost $4.4 million in one operation on February 5, 2022. The mining targets the Moonriver smart contract platform on Polkadot's Kusama network. The attackers stole BNB and wrapped ETH, then sold BNB on decentralized exchange UniSwap. This mining caused the bnb price to plummet, allowing other individuals to buy BNB at a low price and use BNB as collateral for loans on platforms like Hundred Crisis. The loans have impacted the supply of affected lending applications. https://twitter.com/Meter_IO/status/1490103309834674177?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1490103309834674177%7Ctwgr%5Ecc9bf91aca4885159b97f8b9c6dc20c5115106dc%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fprotos.com%2Fexplained-why-hackers-keep-exploiting-cross-blockchain-bridges%2F
The attackers stole 173,600 ETH and 25.5 million USDC (about $600 million) from the Ronin bridge on March 29, 2022. Mining involves gaining access to the private keys of authentic nodes . Ronin developers have halted deposits and withdrawals until investigative agencies verify the issue. The developers built Ethereum's Ronin sidechain Axie Infinity game to save fees. However, that has caused them to suffer a security breach. https://twitter.com/ericgoldenx/status/1508844665881116674?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1508844665881116674%7Ctwgr%5Ecc9bf91aca4885159b97f8b9c6dc20c5115106dc%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fprotos.com%2Fexplained-why-hackers-keep-exploiting-cross-blockchain-bridges%2F Axie Infinity's "play to earn" game cost users $ 600 million in money.
WonderHero discovered cross-chain bridge mining on April 7, 2022, when the value of the native WND token unexpectedly plummeted by 50%. WonderHero lost $300,000 in WND tokens in the attack. WonderHero has suspended the website, games, bridges, deposits and withdrawals during the investigation. After that, WonderHero rebooted the game system, markets and profits. WonderHero has posted an analysis confirming that the Binance bridge has been hacked.
Tap into Harmony One's Horizon
Harmony One's Horizon lost $100 million in a mine on June 23, 2022. The team is working with law enforcement agencies and legal experts to investigate the exploitation. The wallet address used to receive the stolen funds is called "Horizon Bridge Exploiter" on Etherscan. Horizon Bridge Exploiter currently holds just over $93,000 in cryptocurrency. https://twitter.com/harmonyprotocol/status/1540110924400324608?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1540110924400324608%7Ctwgr%5Ecc9bf91aca4885159b97f8b9c6dc20c5115106dc%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fprotos.com%2Fexplained-why-hackers-keep-exploiting-cross-blockchain-bridges%2F
ChainSwap lost 20 million WILD tokens in one mining on July 10, 2022. Wilder World uses WILD as the native token. A Twitter user who is a member of Wilder World discovered the ChainSwap exploit on 2022-07-10. This mining also affects Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank and Unifarm tokens. ChainSwap froze the Ethereum-Binance Smart Chain cross-chain bridge during its investigation. ChainSwap had previously mined $800,000 in cryptocurrency on July 2 and has managed to recoup some of the damage in this attack.
>>> See also: Latest Binance subscription guide updated 2022
Attackers stole $190 million in tokens by exploiting a vulnerability in Nomad's smart contract on August 2, 2022. When the smart contract mining method is made public, a mass attack steals a significant amount of assets. Andressen Horowitz's CISO suggested that some of the attackers may have been white hat hackers aiming to keep money out of the hands of nefarious people. Nomad is working with law enforcement and private security companies to investigate and thank white hat hackers for taking initiatives to protect the fund.