What does the recent surge in cross-chain bridge hacks tell us? That they are the new favorite targets for hackers.
Almost every day, a new cross-chain protocol gets hacked, and funds get stolen. Is it because cross-chain protocols are more vulnerable to hacks? Or are there any specific groups of people targeting crypto bridges? Or is it just the very nature of crypto bridges?
Today, we’ll look at five of the biggest crypto cross-chain bridge hacks of 2022 and the parallels among them. By the end of this article, you’ll know why they are more prone to hacks.
What are Crypto Cross-Chain Bridges?
Cross-chain bridges are platforms that mint wrapped tokens. In other words, it allows the interoperability of cryptocurrencies among different blockchains. For example, you can’t use Bitcoin on an Ethereum-based application, but with a bridge, it’s possible.
Most cross-chain bridges, especially trust-based bridges, have a custodian. The way it works is you send them the original underlying asset. Let’s take Bitcoin as an example. Upon receiving the original Bitcoin, the custodian will “mint” an equal amount of wrapped Bitcoins before sending them back to you.
You can then use the wrapped Bitcoin on other blockchain networks. It allows more liquidity to enter the market, which ultimately helps DeFi to grow.
The wrapped Bitcoin in itself is not valuable. Instead, its value is pegged 1:1 to the underlying Bitcoin held in reserve by the custodian. It’s somewhat similar to how stablecoins work.
Once you’re done and need your Bitcoins back, you simply send a “burn” request. The custodian will then burn the wrapped tokens and return your original Bitcoin.
Check out our guide on wrapped tokens for an in-depth analysis of how cross-chain bridges work.
Cross-Chain Bridge Hacks – Why are they More Prone to Hacks?
According to a report by Chainalysis, $2 billion has been hacked or stolen from bridges, accounting for 69% of all hacks in the DeFi space in 2022.
What do these numbers tell us? It tells us that cross-chain bridges are the favorite target for hackers. But why?
Well, there are mainly two reasons –
a) Similar to liquidity pools or lending pools, cross-chain bridges have one central storage of all their user funds. The underlying asset reserve is a lucrative and highly scalable target for hackers.
Previously, we used to see just as many hacks on centralized exchanges for the same reasons.
b) The second reason bridges are a common target for hackers is their security vulnerabilities.
Since bridges are still in their early stages of development, they lack the relevant information to build stronger, more robust security models, which makes it easier for hackers to target bridges. You’ll realize this as we go through the different cross-chain bridge hacks.
As we mentioned, centralized exchanges also used to be a common target for hackers. But the hacks actually provided a better understanding of the underlying code and its vulnerabilities, which helped these platforms build better security models. And now, centralized exchanges suffer far fewer attacks than they used to before.
However, developers of cross-chain bridges don’t have those references and familiarity yet.
Overall, security experts in the blockchain and cryptocurrency industry believe that DeFi protocols should invest more in training developers on blockchain security. It includes hiring security experts, conducting regular protocol audits, and doing everything in their power to build better security models, which other developers can use as a template, and add to when creating a new application.
1. Ronin Network – $600 Million Hack
The Ronin Network is an Ethereum-based sidechain mainly used for playing Axie-Infinity, a play-to-earn NFT game.
On March 23, a group of hackers managed to steal 173,600 ether and 25.5 million USDC, totaling up to $635 million in value, from the Ronin Network. The FBI later connected the hack to Lazarus, a group of North Korean hackers associated with many other hacks.
Most platforms never recover from such big hacks. But Ronin did. After the hack, the Ronin Network took strong measures to tighten security and prevent such attacks in the future. Plus, all users got their funds reimbursed by Sky Mavis, which is a huge win as well.
2. Wormhole – $300 Million Hack
The Wormhole attack was one of the early cross-chain bridge hacks of 2022.
Wormhole is the biggest cross-chain bridge, which supports seven blockchains – Terra, Solana, Ethereum, Binance Smart Chain, Fantom, Polygon and Avalanche, and has more than $200 billion in Total-Value Locked (TVL), representing 88% of the DeFi space right now.
On Feb 3, 2022, the protocol was drained out of 120,000 wrapped Ether (wETH) tokens, totaling up to $370 million in value. Wormhole soon launched a bug bounty program, offering a reward of $10 million to the hacker to return all the funds and provide details of the exploit.
Unfortunately, the hacker never responded.
3. Nomad – $190 Million Exploit
The Nomad bridge attack is one of the most interesting cross-chain bridge hacks this year.
In August 2022, a hacker discovered that a recent new update to Nomad’s smart contracts allowed users to fake transactions, meaning it never verified if a user deposited an equivalent amount of the original tokens before providing the wrapped versions. So theoretically, you can deposit 5 ETH and withdraw 500 wETH without the platform knowing.
What followed was total and absurd chaos. It was a free-for-all, take-as-much-as-you-want spree event for hackers and exploiters. The hard work was already done by the original hacker. The rest of them only copied and pasted the transaction and replaced the addresses.
Nomad Bridge lost around $190 million, 80% of which were stolen by copycats of the original hacker.
This is yet another example of how poor the security models of cross-chain bridges are and the importance of security audits and expert counseling for DeFi protocols.
4. Binance – $100 Million Hack
On 7 October, the BSC chain announced that they will be halting all transactions and activities on the blockchain due to a security issue.
What was the security issue?
It was a hacker, or a group of hackers, who managed to withdraw over $100 million worth of BNB tokens by forging a fake message that tricked the smart contract logic of BSC token hub, a cross-chain bridge platform, into thinking it was a valid transaction.
However, it’s not as bad as it sounds.
Firstly, the hackers didn’t steal any user funds. Instead, they faked a transaction to mint 2 million new BNB tokens worth $568 million. So, no one lost their existing money.
Secondly, even though the hackers minted 2 million BNB, they failed to transfer most of it due to the suspension of all transactions and activities on the blockchain by Binance.
So, even though Binance lost around $100 million, it still came out on top.
5. Harmony – $100 Million Hack
In June 2022, Harmony, a cross-chain bridge platform where users can mint wrapped tokens, lost over $100 million in multiple cryptocurrencies following a hack. Even though there is very little information on how the hack was carried out, we do know who did it.
A report by Elliptic suggests this was a deed of the infamous, state-backed North Korean cybercriminal organization Lazarus. The same group that was allegedly responsible for the Ronin attack and a bunch of the other cross-chain bridge hacks.
Following the hack, Harmony protocol released a reimbursement plan where hacked users will get Harmony’s ONE cryptocurrency every month for three years until they receive the full value of what they lost.
After receiving an overwhelmingly negative response from the community, Harmony came up with an alternative proposal to deploy their remaining treasury towards recovery and development. The plan is yet to be set in action.
Some experts believe that cross-chain bridges are inherently unsafe and go against the fundamental laws of blockchain, while others say they are essential for the growth and expansion of DeFi and crypto as a whole.
As unfortunate as these hacks are, they are inevitable and, some might argue, important. Without enough references and familiarity with the hacks, developers can’t find vulnerabilities in the code. If they can’t find it, they can’t fix it.
However, from a user point-of-view, no one wants to be a lab rat. No one wants to lose their hard-earned money to help companies build better security models.
If you’re a victim of a crypto hack, the best you can do after a hack is claim losses to reduce taxes if your country allows it.
Check out our guide on crypto hacks to know which countries allow claiming hacked or stolen crypto.