Cross-chain Bridges Attack Incident Review: Nearly $2 Billion in Funds Threatened, Over $1.55 Billion Recovered or Compensated

There are many public chains in the blockchain ecosystem, but due to the concentration of mainstream assets on a few chains, cross-chain bridges have become important tools for connecting different public chain assets. However, recent frequent DeFi security incidents have raised concerns about the security of cross-chain bridges. This article will review the 10 significant cross-chain bridge attack incidents in the past few years, summarize the lessons learned, and provide references for development teams and users.

ChainSwap: Approximately $8.8 million lost in two attacks

In July 2021, ChainSwap encountered two hacker attacks in just 9 days. The first attack resulted in a loss of approximately $800,000, while the second attack amounted to as much as $8 million, affecting over 20 projects using ChainSwap for cross-chain operations.

The cause of the incident lies in the protocol's failure to rigorously verify the validity of signatures, allowing attackers to complete transactions using self-generated signatures. Since the damaged assets are primarily governance tokens, ChainSwap and several affected projects have chosen to compensate holders and liquidity providers through snapshots and reissuing tokens.

Poly Network: $610 million in assets stolen fully recovered

On August 10, 2021, the cross-chain protocol Poly Network suffered a serious attack, resulting in a loss of approximately $610 million in assets across the Ethereum, Binance Smart Chain, and Polygon networks.

The attack exploited a vulnerability in the permission management of the Poly Network contract. The attacker successfully replaced the validator address of the target chain with an address they controlled, allowing them to sign and execute asset transfer operations.

Despite the attackers' meticulous planning and use of privacy tokens to obscure the source of the funds, they ultimately chose to return all the stolen funds. Poly Network subsequently referred to them as "white hat hackers" and proposed hiring them as chief security advisors.

Multichain: $6 million in assets damaged, nearly half has been recovered

In January 2022, Multichain discovered a serious vulnerability affecting multiple tokens. Although the vulnerability has been fixed, nearly 8,000 user addresses were still affected, resulting in losses of approximately $6.04 million.

The security team analysis pointed out that the vulnerability originated from Multichain's oversight when verifying the legitimacy of tokens input by users, failing to consider that not all tokens implement specific functions. This led to the assets of certain authorized users being transferred to malicious addresses constructed by the attacker.

Multichain took swift action, recovering nearly 50% of the stolen funds in a short period of time. The team then proposed a compensation plan, but only for users who revoked contract authorization before the specified deadline.

QBridge: $80 million loss, only 2% compensation

At the end of January 2022, the cross-chain bridges QBridge of the lending platform Qubit was attacked, resulting in losses of up to 80 million dollars.

The attacker exploited a critical vulnerability in QBridge when processing whitelist token transfers. Because the system did not perform a secondary confirmation for the zero address, the attacker was able to mint a large amount of xETH tokens out of thin air on the BSC network without depositing any actual assets. These counterfeit tokens were then used as collateral to borrow other tokens from Qubit, leading to the depletion of platform funds.

Currently, the usage rate of Qubit is close to zero, and official data shows that 98% of the stolen funds have not been compensated.

Meter.io: $4.4 Million Loss, Promises Future Earnings Compensation

In February 2022, the Meter Passport cross-chain bridges were attacked, resulting in a loss of $4.4 million.

The official explanation states that the issue lies in the "faulty trust assumption" in the Meter extension code, which allows attackers to forge BNB and ETH transfers by invoking the underlying deposit functionality.

Meter initially planned to compensate users for losses with the MTRG token, but after a community vote, it was decided to issue a new PASS token as compensation and promised to buy back these tokens with future profits. However, as of now, no buyback operations have been conducted.

Ronin: $620 million stolen, fully compensated

In March 2022, the Ronin chain behind Axie Infinity suffered a major security incident, resulting in losses of approximately $620 million. Notably, the attack occurred on March 23, but it was not discovered until nearly a week later.

The investigation shows that this is a complex social engineering attack. The attackers lured employees of Sky Mavis (the developer of Axie Infinity and Ronin) into downloading a "job offer letter" containing malware through a fake recruitment process. In this way, the hackers successfully penetrated the Ronin network and took control of multiple validation nodes.

Although the stolen funds were not directly recovered, Sky Mavis quickly completed a round of financing of $150 million to compensate users for their losses. At the end of June, the Ronin bridge reopened, allowing users to receive compensation. However, due to the significant drop in ETH prices during this period, the actual value of the compensation has shrunk by about two-thirds.

Wormhole: $326 million loss, fully compensated

In early February 2022, the cross-chain protocol Wormhole was attacked, resulting in a loss of approximately 120,000 ETH, valued at $326 million.

The attack exploited a vulnerability in the signature verification code of the core contract on the Solana side of Wormhole. The attacker successfully forged a message from the "guardian", allowing them to mint a large amount of whETH and withdraw an equivalent amount of ETH from Ethereum.

Fortunately, Wormhole's parent company Jump Crypto quickly injected 120,000 ETH, compensating for all losses, allowing Wormhole to quickly resume operations.

EvoDeFi: Estimated losses of over ten million dollars, not addressed.

In June 2022, the USDT on ValleySwap, the largest DEX in the Oasis ecosystem, experienced a severe de-pegging, resulting in significant capital outflow. Although the exact amount of loss has not been disclosed, it is estimated to be in the tens of millions of dollars.

The root of the problem lies in the severe lack of liquidity on the source chain for the cross-chain bridges used by ValleySwap, EVODeFi. Although EVODeFi attributes the issue to market panic, this explanation is not convincing. The Oasis officials emphasized that there is no association with ValleySwap and EvoDeFi and pointed out that EvoDeFi carries high risks.

Unfortunately, users have not received any substantial solutions to their losses to date. Relevant parties seem to have chosen to evade responsibility, and the official social media of ValleySwap and EVODeFi has stopped updating since the incident.

Horizon: Nearly $100 million loss, compensation plan still under discussion

On June 24, 2022, Harmony's official cross-chain bridge Horizon was attacked, resulting in a loss of approximately $100 million.

Harmony founder Stephen Tse admitted that the attack was likely caused by a private key leak. The attack involved various assets on the Ethereum and BNB chains. After the incident, Horizon raised the threshold for multi-signature from the original 5 out of 2 to 5 out of 4.

Harmony once proposed to partially compensate users' losses by issuing additional ONE tokens over a period of 3 years, but failed to gain unanimous support from the community. Currently, the team is reworking the compensation plan.

Nomad: $190 million in liquidity drained, part of the funds expected to be recovered

In early August 2022, the Nomad cross-chain bridges experienced a major security incident, resulting in a rapid loss of $190 million in liquidity. This event also indirectly affected the Layer2 interoperability protocol Connext, causing a loss of approximately $3.34 million.

The cause of the incident was that Nomad mistakenly initialized the trusted root to 0x00 during a contract upgrade. This allowed anyone to extract funds from the cross-chain bridges by simply modifying the transaction parameters.

According to the analysis, this attack involved 1,251 ETH addresses, of which 12 ENS addresses accounted for 38% of the total loss amount. Although the project team has not provided a clear compensation plan, some white-hat hackers have expressed their willingness to return the funds, bringing hope for recovering some of the losses.

Summary and Insights

The frequent occurrences of security incidents in cross-chain bridges highlight the high risks in this field. Even well-known cross-chain bridges with high liquidity rankings, such as Multichain, Wormhole, and Poly Network, have encountered security issues, warning us that any cross-chain bridge may face security threats.

However, we also observe that projects with strong background and ample funding are often more effective in recovering assets or compensating users after experiencing security incidents. For instance, projects like Poly Network, Ronin Network, and Wormhole were able to achieve full or substantial compensation through various means after suffering significant fund thefts.

In addition, the team's real-time monitoring and rapid response capabilities are also crucial. For example, Hop Protocol and StarGate quickly took action upon receiving reports of suspicious activities, successfully preventing potential attacks.

These lessons remind us that when choosing cross-chain bridges, we should not only consider their technical strength but also pay attention to the background of the project team, financial strength, and risk management capabilities. At the same time, users should remain vigilant, regularly check authorization status, and exercise caution when using cross-chain services.