As newer blockchains continue to launch, cross-chain bridges are becoming more indispensable than ever to enhance the interoperability between blockchain ecosystems.
Having said that, the new innovation also lays the surface for a large number of attack vectors. According to Chainalysis, Cross-chain bridge hacks alone make up to 69% of stolen funds in 2022.
There have been 13 cross-chain bridge attacks back and forth, with 2022 being the year with the most majority.
This article gives a concise of all the cross-chain hack events of 2022 for better clarity on the security of cross-chain bridges in today’s times.
How Do Cross-Chain Bridges Yield Interoperability Of Crypto Assets?
Let’s understand the operation of a cross-chain bridge through an example.
A user has assets on the Ethereum network but needs to use them on Polygon. He immediately seeks a centralized exchange like Coinbase or Binance and converts his ETH holdings into MATIC to use on Polygon.
Now, he wants the remaining MATIC token to be converted back into ETH. So, he will have to go through the same process all over again.
Interestingly, cross-chain bridges get the process straight and provide an easier way to transfer assets back and forth between different blockchain networks.
How does it do that?
Most cross-chain bridges function on the lock-and-mint model to achieve interoperability.
The same scenario wherein the user wants to use ETH tokens on the Polygon network. Let’s look at how he can do it through a cross-chain bridge.
- The user can send the ETH token to a specific address on the Ethereum chain and pay the transaction fee.
- The ETH tokens are locked in a smart contract by the validator or held by a custodial service.
- Now MATIC tokens of value equal to locked ETH tokens are minted on the Polygon chain (i.e. destination chain)
- The user receives the MATIC token in his wallet and he can use it to make transactions
What if the user wants to get back his ETH token?
This is where the ‘burning of tokens’ comes into the picture.
- User can send their remaining MATIC token in the wallet to a specific address in the Polygon chain.
- These MATIC tokens are burned such that the funds cannot be reused
- The smart contracts or custodial service releases the ETH token and credits them in the user’s wallet.
In reality, cross-chain bridges work by wrapping tokens to be used from one blockchain to another.
If a user wants to use Bitcoin in the Ethereum network, cross-chain bridges convert the BTC in Bitcoin blockchain into wrapped Bitcoin (wBTC) on the Ethereum blockchain.
By looking at this, we can easily say there are considerable complexities as the source, and destination blockchain uses two different smart contracts. And therefore, issues from either side puts the user’s funds at risk.
Bridges Can Be Of Two Types: Trusted & Trustless
Broadly, the bridge type determines who holds power over the funds.
Trusted bridges are operated by central entities that take custody of the funds transferred through bridges.
Trustless bridges function on smart contracts and algorithms, and the smart contract itself initiates every action. So in that way, users have control over their assets.
Disruptions That Led To Cross-Chain Bridge Breaches
Recent records of hacks from 2021-22 clearly depict that DeFi bridges are the most sought-after targets by attackers.
Tracing the hacks that have ever happened since the foundation of cross-chain bridges
As said before, 2022 contributes to the majority of hacks and let’s look at what went wrong in all of these hacks.
“2M BNB token worth $586M stolen from BSC token hub.”
BSC token hub is a Binance bridge connecting the old Binance Beacon chain and the BNB chain. The attacker by showing false proof of deposit on the Binance Beacon chain, minted 2M BNB from the BNB bridge.
The hacker exploited the flaw in the Binance bridge that verified proofs and borrowed 1M BNB each from two transactions.
The attacker then used the borrowed fund as collateral on the BSC lending platform Venus protocol, and the liquidity was instantly transferred to other blockchain networks.
“Nomad bridge fell for a savage attack losing $190M of liquidity”
Nomad turned out to be a permissionless hack that anyone could join in and exploit. Following the routine contract upgrade, the Replica contract was initialised with a bug.
process() function is responsible for cross-chain message execution and has an internal requirement to validate the merkle root for processing the messages.
Taking advantage of the coding bug, the exploiter was able to call the process() function directly without having to ‘prove’ their validity.
The bug in the code validated the ‘messages’ value of 0 (invalid, according to legacy logic) as ‘proven’. Thus, this meant any process() call was approved as valid, leading to the exploit of funds from the bridge.
Many hackers took the chance to loot massive money through a simple copy/paste of the same process() function call via Etherscan.
“Harmony hit the hard road losing over $100M to a private key compromise”
Harmony bridge was secured by 2 of 5 multisig, where the attack vector managed to gain access to two addresses.
The hacker used the compromised address that was necessary to pass any transaction and finally took $100M in their hands from the bridge.
Few suspect that the private key compromise may be due to the hacker gaining access to the servers that run these hot wallets.
Ronin Network (unaudited)
“The biggest of the crypto hacks – Ronin exploit for ~$624M”
Ronin was an Ethereum side-chain that worked on the Proof of Authority model with nine validators for approving transactions.
Five out of nine validator approval is required to approve deposit and withdrawal transactions. Out of this, four validators are internal team members, and only one more signature is needed to authorize transactions.
In addition to compromising the four internal validator nodes, the hacker also gained access to this fifth signature, draining the funds from the Ronin bridge contract.
Regrettably, the attack was identified after it’s been almost a week.
“$4.4M taken from Meter.io due to bridge attack”
Meter.io, a fork of chainSafe’s ChainBridge, launched with a change in the deposit method by the ERC20 handler.
The discrepancies in the deposit method were leveraged by the hacker, who loots away funds by sending an arbitrary amount in the calldata.
“Wormhole incident with the hacker netting $326M in the process”
Wormhole, a Solana bridge, was manipulated to believe 120k ETH was deposited on Ethereum, which allowed the hacker to mint equivalent wrapped assets on Solana.
The hackers took advantage of the shortcomings in the ‘Solana_program::sysvar::instructions’ and in the ‘Solana_program’ that didn’t verify the address correctly. Using this, the attacker provided address containing just 0.1 ETH and produced a fake ‘Signature set’ to fraudulently mint 120k wrapped ETH on Solana.
“Qbridge under the lens for $80M exploit”
Qubit allows the cross-chain collateralisation of assets between Ethereum and BSC.
The logic error in the bug made xETH available on BSC without an ETH deposit on Ethereum. This made hackers acquire collateral loans on Qubit despite not having any deposits locked in the Ethereum contract.
Some Light On Cross-Chain Bridge Security
In addition to the security measures in-built with the protocol design, performing thorough and regular audit check-ups minimises the risk surface of attacks. QuillAudits pioneer as a Tier-1 auditing firm with a good global reputation for securing projects.