Bridges Are The New Targets for Crypto Crime

There are over 100 different blockchains that serve all manner of purposes and constituents.  It can be confusing for large-scale adoption, as the different blockchains require different wallets, different DEX’s, different and individual knowledge by investors.  It’s not a surprise, then, that to unlock new levels of innovation, the new focus has turned to enabling the interoperability between blockchains.

There are over 40 projects that are working on cross-chain bridge capabilities. And it will also come as no surprise, that vulnerabilities within these bridges are coming under attack and hacks are becoming more and more common.

This heightens the need to understand bridge security, and the increasing need to test for different vulnerabilities prior to deploying your bridge into production.

Let’s take a look at four of the top hacks that have occurred through cross-chain bridges over the past year.

1. The blockchain infrastructure company, Meter, experienced a hack on a bridge, where $4.4 million was stolen.  What happened?

“The hacker exploited a vulnerability of the bridge to mint a large amount of BNB and WETH tokens, which depleted reserves of these on the bridge, Meter Passport. Meter became aware of the depletion and halted all bridge transactions. They then proceeded to investigate further. The hacker exploited a bug introduced onto the bridge by the Meter team. The team created a new bug when they added the ability to wrap and unwrap BNB and ETH automatically. The code assumed trust incorrectly, which permitted the hacker to call the ERC20 deposit function to mimic transfers of BNB and ETH. The Meter and Moonriver networks were affected.”  (https://beincrypto.com/cross-chain-bridge-hack-of-meter-sees-4-4m-stolen/) 

The bridge minting function was compromised.  Essentially a bug that would wrap and unwrap BNB and ETH automatically assumed trust when it should not have.  

2. Poly Network, a specialist in cryptocurrency transfers between Binance, Ethereum and Polygon blockchains, had $610 million stolen.

This exploit was partly due to its trusted relayer (in their words, “keeper”) set-up, and partly due to its failure to appropriately verify transactions when sending information across chains. 

“…the hacker had ‘exploited a vulnerability between contract calls’ — where a contract can modify the keeper of a contract and execute a transaction.” (https://www.zdnet.com/finance/blockchain/poly-network-hackers-potentially-stole-610-million-is-bitcoin-still-safe/) 

Essentially the hack was due to its trusted relayer setup, combined with its failure to appropriately verify transactions that would be sent across to another chain. 

“Cross-chain transactions on Poly Network are facilitated by a group of trusted keepers, who sign blocks on the source blockchains. Their signatures are then verified on the destination chain by gatekeeper smart contract, which then execute transactions. The same smart contract also controls a directory of keepers and can change them when signatures are verified.”  (https://medium.com/dragonfly-research/secure-the-bridge-cross-chain-communication-done-right-part-i-993f76ffed5d) 

So, the issue was in having the two roles of verifying gatekeeper signatures in the same smart contract that could also control the directory of those gatekeepers.  Oops.

3. Qubit Finance bridge between Binance and Ethereum attacked for $80 million Ethereum.

“Essentially what the attacker did is take advantage of a logical error in Qubit Finance’s code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum.” (https://news.bitcoin.com/hacker-siphons-80-million-from-qubit-cross-chain-bridge-largest-defi-exploit-of-2022-to-date/) 

The code allowed the call to their deposit function using an address of 0, which was apparently white labelled.  “​​One of the root causes of the vulnerability was the fact that tokenAddress.safeTransferFrom() does not revert when the tokenAddress is the zero (null) address (0x0…000).”   (https://certik.medium.com/qubit-bridge-collapse-exploited-to-the-tune-of-80-million-a7ab9068e1a0)

4. Solana’s Wormhole bridge to ETH exploited for 98k ETH (worth $320 million)

 “…the attacker broke the connection (pegging) structure of WeETH by exploiting a vulnerability in the Solana part of the Wormhole bridge. Using just a small volume of ETH as collateral, the attacker created 120,000 WeETH, which was then pulled out by exchanging it into Solana, USDC, and other cryptocurrencies.” (https://haruinvest.com/blog/solana-wormhole-hack/)

Essentially the attacker went through a series of steps and calls that was able to bypass signature validation for the transaction entirely.  And that was due to the version of the the Solana program that Wormhole used didn’t verify the address being used.

Proceed With Caution… And You Can…

There are NUMEROUS more bridge attacks that led to losses well into the hundreds of millions, all from errors and vulnerabilities in the smart contracts that the bridge uses to validate the transaction and transfer the assets.  

Are there all of a sudden more vulnerabilities in Blockchain code than in other code?  Likely not.  BUT, blockchain code is generally public, open source code.  This allows anyone access to that code, and through examination, depending upon your level of interest and commitment, can have the vulnerabilities found.

Another factor that could be a culprit is the lack of strenuous testing in the rush to get code into production – which is a systemic issue in the software development process itself.  Given the money at play, there is incentive on both sides to a) find the vulnerabilities and b) shore them up. 

That means that blockchain developers and development projects must have testing processes that are rigorous and thorough – and can pass a security audit as well.  Enrolling in a bug bounty program could also be a big help – as you can enlist white hat hackers in reviewing the codebase and locating any vulnerabilities that might exist, before the black hat hackers find them.

Whichever way you slice it, it’s a “pay now or pay later” proposition.  And paying later could be far more expensive than taking a little longer to ensure that your smart contracts on your bridge are designed and constructed well and have been rigorously tested.