In Web3, a bridge is a decentralized application that facilitates the transfer of assets and data between different blockchains. Bridges are essential for achieving blockchain interoperability, which is crucial for the growth and development of the Web3 ecosystem.
Bridges are used to enable cross-chain communication, increase transaction flexibility, reduce fees, and improve scalability and network congestion. However, they also present security challenges, as they are critical communication pointspoints of communication between the two networks and can be targeted by malicious actors.
Let’s take a look at the 5 most impactful Web3 bridge hacks, what are the causes, results and what conclusions can be drawn.
Ronin Bridge (March 2022)| loses — $624m | exploit — Private Key Compromised (Social Engineering):
In March 2022, the Ronin Network, an Ethereum sidechain built for the popular play-to-earn nonfungible token game Axie Infinity, was hacked for over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) for a combined value of over $600 million. The attackers stole the funds by compromising private keys and gaining control of four validators controlled by Sky Mavis and a third-party Axie DAO validator that signed their malicious transactions. The Ronin Network hack was made possible by a few different errors in the Ronin Network, including Sky Mavis prioritizing the performance of the Ronin Network over its security and ignoring fundamental security best practices such as least privilege and the importance of monitoring.
Hackers breached the Ronin network by compromising validator nodes. They achieved this by gaining access to five private keys, exceeding the threshold needed to authorize transactions. The network initially relied on nine validators, four of which fell under the hackers’ control, along with a fifth managed by the Axie DAO (a decentralized organization).
The vulnerability stemmed from a temporary arrangement. In November 2021, Axie DAO granted Sky Mavis permission to handle transactions on its behalf to manage user volume. However, this access remained in place, creating a backdoor that hackers exploited to launch the attack.
The hackers laundered about $42 million worth of funds, or around 7.5% of the total, and the wallet belonging to the hackers of the Ronin Bridge has also started sending funds to currency mixer services. The FBI has attributed the Ronin Network hack attack to North Korean hackers, and the U.S. Treasury Department has sanctioned a cryptocurrency wallet used by attackers to receive stolen funds. The developers behind the game have sought help from various crypto exchanges and crypto analytic group Chainalysis to recover the stolen funds.
Poly Network (August 2021)| loses — $612m | exploit — Access Control Exploit:
In August 2021, Poly Network, a decentralized finance (DeFi) platform, was hacked, resulting in the theft of an estimated $612 million in various tokens. The attacker exploited a vulnerability in the protocol’s smart contracts, allowing them to set the keeper role to point to their address, enabling them to perform transactions at will and drain value from the project.
The attacker sent a specially formatted command to verifyHeaderAndExecuteTx, which reassigned the keeper role to them. From there, they could drain the value from the protocol. The PutCurEpochConPubKeyBytes function in the EthCrossChainData contract can update the keeper role. This function can be executed with a call to verifyHeaderAndExecuteTx in the EthCrossChainManager contract. The attacker brute-forced a string that, if set as _method in the code snippet above, gives the same 32-bit value. In this case, the attacker used the string “f1121318093” and called a cross-chain transaction from the Ethereum network to the Poly network by triggering and passing the string f1121318093 as _method.
The attacker claimed that the bridge hack was to demonstrate a major vulnerability in the protocol and was for the project’s own good. All assets were returned to Poly Network over the following 15 days, making it one of the largest security incidents in DeFi’s history in terms of mark-to-market value. The hacker claimed they carried out the theft “for fun” and that it was “always the plan” to eventually return the funds.
The Poly Network hack demonstrated the dangers of complexity and the importance of testing for undesired cross-function and cross-contract interactions.
Here are links to some other articles regarding this bridge hack:
BNB Bridge (October 2022)| loses — $566m | exploit — Proof Verifier Bug:
In October 2022, the BNB Chain’s cross-chain bridge, BSC Beacon, was hacked, resulting in the exploitation of a vulnerability in the bridge’s code. The attack led to the creation of 2 million BNB tokens, worth approximately $566 million, which were then transferred to accounts on other chains. The vulnerability was related to the way the BSC Token Hub verified proofs, allowing the attacker to forge arbitrary messages and exploit the system. As a response, the BNB Chain was temporarily shut down, and a hotfix was released to prevent the attacker from moving additional stolen BNB off-chain. The BNB Chain also planned to introduce a new on-chain governance mechanism to defend against future attacks.
The attack was contained, and the BNB Chain’s CEO assured the safety of the funds. The BNB Chain’s validators acted quickly to suspend the BSC and contain the issue. The impact of the hack was estimated to be around $100 million, as the majority of the stolen funds were frozen or blacklisted. The BNB Chain also introduced a new on-chain governance mechanism to defend against future attacks, the network validators now are able to vote on what will be done with the stolen funds, whether they will be frozen or not, or “auto-burn” them.
The exploit was a result of a bug in the smart contract, and the BNB Chain took measures to address the vulnerability and prevent similar incidents in the future. The incident highlighted the ongoing challenges and security concerns related to cross-chain functionality in the cryptocurrency space.
Wormhole Bridge (February 2022)| loses — $326m | exploit — Signature Exploit:
In February 2022, the Wormhole token bridge was hacked, resulting in the loss of 120,000 Wrapped Ether (wETH) tokens worth $321 million.
The attacker exploited a vulnerability in the Wormhole smart contract code that allowed them to mint 120,000 wETH. The hack took place on Solana’s side of the bridge, and there are fears that Wormhole’s bridge to Terra could be similarly vulnerable. The Wormhole team has offered a $10-million bug bounty for the return of the funds. The hack is the second-largest decentralized finance hack to date.
In February 2023, Jump Crypto and Oasis counter-exploited the Wormhole hacker and retrieved the ETH that was stolen from it. The Chicago trading firm appears to have recovered the 120,000 ether stolen during the 2022 Wormhole exploit. Wormhole has since stepped up its security, launched two $2.5 million bug bounty programs, and had a handful of third-party firms do a number of audits to resolve critical issues.
Nomad Bridge (August 2022)| loses — $190m | exploit — Trusted Root Exploit:
In August 2022, the Nomad crypto bridge suffered a significant hack that resulted in the loss of over $190 million in cryptocurrency.
The attack was facilitated by a vulnerability in the bridge’s smart contract, which was introduced during an update. The update inadvertently initialized the trusted roots to 0x00, which matched the value for untrusted roots, allowing any message to be considered valid.
This exploit was made possible by a simple copy-and-paste of a successful transaction, requiring no technical knowledge beyond the ability to find and replace addresses in a transaction. The attack was chaotic, with many users participating in the theft, and the incident led to a significant drop in the bridge’s total value locked (TVL).
The attack was one of the largest DeFi hacks in history and highlighted the vulnerabilities of cross-chain bridges, which have become a target for attackers due to the large amounts of assets they hold. The Nomad team responded by offering a bounty for the return of funds and working with law enforcement to address the situation. Despite the efforts, only a portion of the stolen funds were returned.
Conclusion
With all great new things, we always get new risks, and cross-chain bridges are no different. For further expansion of Web3 ecosystem, this part of crypto world need to be properly secured and organized. Some of these hacks are caused by the human factor, but despite this, this side of the case also needs technical progress.
As many cases have shown, hackers often return stolen funds and work with developers to fix problems and protect vulnerable software, so it makes sense to launch a bounty program rather than waiting for a hack to break a project and ruin a reputation.
The bug bounty program is not a 100% guarantee, but it is a step forward towards a secure future for Web3. Working with the community in this way brings more credibility to the project and certainly lowers the level of security.
You can find in this blog dedicated articles about vulnerabilities submitted through HackenProof bug bounty programs that saved a whole lot of assets.
We welcome you to start your bug hunting journey today, join our Discord community and gain knowledge of security research!