What are Cross Chain Bridges?
When two blockchains cannot natively connect, cross-chain bridges allow users to move assets and data. This promotes interoperability and innovation in Web3, Decentralized Finance, and NFTs. Usually, they operate by first locking assets on a source chain, after which they mint or release a comparable “wrapped” version of the asset on the destination chain. The wrapped asset becomes locked when it is returned to the original chain, and the original asset becomes unlocked. Considered a fundamental component of Web3 infrastructure, bridges allow developers to have chain-agnostic experiences and facilitate the smooth transfer of tokens and messages for users.
How Blockchain Bridge Attacks Occur
Blockchain bridge attacks take use of flaws in the systems that allow assets to be moved across blockchains. These attacks frequently use custodian compromise, smart contract manipulation, or design flaws in the bridge to steal or misappropriate money. Code attacks and network design attacks are the two primary categories into which blockchain bridge attacks often fall.
Code Attacks (Smart Contract Vulnerabilities)
Bugs in Smart Contracts: In order to manufacture equal tokens on one chain and lock assets on another (or vice versa), bridges mostly rely on smart contracts. These smart contracts may contain bugs, logical errors, or inadequate input validation that let attackers get around regulations, start unauthorized mints, or syphon off money.
Network Design Attacks (Validator Compromise/Private Key Exploits)
Compromised Private Keys: A multisig scheme or a group of validators are used by many bridges to authorize cross-chain transactions. By compromising the private keys of a sizable portion of these validators (for example, by phishing, social engineering, or inadequate operational security), attackers can take over and approve fraudulent transactions.
51% Attacks (for less decentralized bridges): For less decentralized bridges, an attacker can approve phoney messages and alter transaction flow if they take over more than half of the validators guarding the bridge. For bridges with a small or semi-centralized collection of validators, this is very risky.
Oracle Manipulation: To retrieve data from other blockchains or other sources, bridges frequently employ oracles. False data sent to an oracle by an attacker may lead to the bridge approving fraudulent transactions based on inaccurate information.
Prevalence and Impact of Attacks
A significant percentage of all Web3 attacks have targeted cross-chain bridges, making them a prime target for malevolent actors. DefiLlama claims that about $2.8 billion has been taken from cross-chain bridges to date, which amounts to over 40% of the total amount of money that was compromised in Web 3.
Over $2 billion in bitcoin was stolen in 13 different cross-chain bridge hacks in 2022 alone; these attacks accounted for 69% of the entire amount of money taken that year. Building trust in blockchain technology and the stability of the multi-chain ecosystem as a whole are seriously threatened by these instances. Hackers associated with North Korea, for example, have taken about $1 billion in cryptocurrencies, all using bridges and other DeFi protocols.
Why are Cross-Chain Bridges Vulnerable and Attractive Targets?
Centralized Storage of Funds: Funds supporting the “bridged” assets are frequently centrally stored in bridges. Regardless of whether it is controlled by a centralized custodian or locked in a smart contract, hackers find this storage location to be a profitable target.
Novel Technology and Technical Complexity: The designs of cross-chain bridges are still being developed and tested because they are a relatively new technology. Numerous layers and components make up their intricate architecture, which leads to a number of failure sites. There may be vulnerabilities in their smart contracts because the programming required to link two blockchains is still in its infancy.
Lack of Battle-Testing: Bridges are more susceptible to unidentified vulnerabilities because they haven’t been as extensively battle-tested as more well-known blockchains like Bitcoin.
Open-Source Code: Open-source projects are designed to promote transparency, but some accidentally allow undesirable actors to study, duplicate, or edit bridge software, making weaknesses easier to uncover.
Lack of Regulation and KYC: Since there are no KYC processes and the DeFi ecosystem is essentially unregulated, bridge hackers can avoid legal action because it is hard to identify and prosecute them.
Common Vulnerabilities Leading to Attacks
Unsecure Private Key Management
Private keys, or a combination of private keys, are frequently used by bridge operators to control bridge operations. The most prevalent cause of well-known hacks is compromises brought on by inadequate operational security procedures or private key management. Centralized networks are extremely insecure since all funds can be controlled by one entity.
For Example, the CEO’s keys were compromised at Multichain Bridge, two of five keys were compromised at Harmony Bridge, five of nine keys were compromised at Ronin Bridge, and seven of ten keys were compromised at Orbit Chain.
Unaudited Smart Contracts / Smart Contract Bugs
For token minting, burning, locking, and unlocking, smart contracts are widely used in cross-chain protocols. Code that is poorly written or has not been audited can be exploited, even though smart contracts can enforce security checks. Code flaws may enable hackers to get around regulations or embezzle money.
Examples include the following: Wormhole (exploitation of the verification process), Qubit (logic error), Meter.io (faulty assumption), Nomad Bridge (incorrectly implemented default accepted root), Binance Bridge (merkle proof verification vulnerability), and Socket Interoperability Protocol (infinite approvals).
The blockchain platform itself (such as Ethereum’s public memory pool or reliance on timestamps), the smart contract architecture (such as uncontrolled access, flawed logic, recursive calls, external dependencies, DoS susceptibility, upgrade risks, inadequate input validation, and race conditions), and the particulars of the programming language (such as Solidity’s arithmetic over/underflows, Vyper’s limited functionality, or C++‘s memory management) can all lead to smart contract vulnerabilities.
Unsafe Upgradability Processes
Code or parameters can be updated by developers with upgradeable contracts. An attack vector may be introduced by an insecure upgrade procedure. Thus, it is essential to carefully build proxy contracts and include appropriate permission checks and timelocks.
Single Network Dependency / Centralization Risks
Some bridges employ one validator network, therefore a vulnerability might affect all blockchain transactions and values, creating a full-blown hack. One element, such as a central custodian, oracle, or validator, might compromise the system as a whole, causing a Single Point of Failure (SPOF). Centralized organizations can also censor, control, or manipulate and fraud (such as modifying transaction details, stealing assets, or fraudulently creating/destroying tokens).
Unproven Validator Sets / Validator Flaws
Operators, or validators, are essential to the bridge. Operational security (OPSEC) and inexperienced validator sets can be dangerous. The validator set’s inability to consistently execute transactions poses a serious danger of freezing user cash. Validator weaknesses that allow hackers to take advantage of validation procedures include the Wormhole hack’s vulnerability in digital signature validation and the Ronin Network hack’s validator takeover, in which attackers take control of the majority of validators.
No Active Transaction Monitorin
The lack of real-time identification and response to unusual activity. For instance, the Ronin Bridge hack was discovered six days after it happened, which is a blind spot that could have been fixed with constant monitoring.
Lack of Rate Limits
Rate restrictions restrict how much value may be moved between chains in a specific amount of time. This last line of defence is really effective. As demonstrated by the “every single bridge hack in which all of the value was stolen in a short time frame,” hackers can quickly deplete all assets without them.
Oracle Manipulation
Oracles are frequently used by bridges to retrieve data from other blockchains or the external environment. False data fed into an oracle by an attacker may result in fraudulent transactions.
Types of oracle manipulation include:
- Data Feed Manipulation: Data feed manipulation is the process of changing or fabricating data that smart contracts are fed.
- Oracle Identity Theft: Oracle identity theft is the practice of injecting false data by pretending to be an authorised oracle.
- Sybil Attacks: Sybil attacks include the creation of several false identities within the oracle network in order to sway consensus.
Liquidity Issues
Consult the list of available and transferable assets over the bridge. Problems may come from:
- Imbalanced Liquidity: When there are substantial differences in the availability of assets on both sides of the bridge, leading to delays or disparities in cost.
- Flash Loan Attacks: Attackers deplete the bridge’s liquidity by taking out big loans without collateral and manipulating market pricing.
- Liquidity Withdrawal Attacks (Rug Pulls): Abrupt, significant withdrawals of collateralized assets, frequently by malevolent developers or “whales,” which disrupt the platform and result in losses.
Real-World Examples of Cross-Chain Bridge Exploits
Examples of Real-World Cross-Chain Bridge Exploits Notable instances consist of:
Poly Network (August 2021): In this case, the attackers used a clever access control hack to transfer the “keeper” job to their own address by manipulating a smart contract function (verifyHeaderAndExecuteTx). Bypassing the planned verification process, they were able to carry out arbitrary transactions and deplete more than $600 million in different tokens. The majority of the money was later refunded by the attacker.
Qubit (January 2022): Attackers took advantage of a logical error in the custom code of the smart contract, notably in the way it processed deposits. Qubit’s bridge contained a flaw that let the attacker enter malicious material in place of a safe, standardised library. In order to withdraw an equivalent number of tokens on the Binance Smart Chain without actually locking any assets, this deceived the contract into thinking a deposit had been made on Ethereum.
Wormhole Bridge (February 2022): This exploit, which cost $375 million, was caused by a serious weakness in the way digital signatures were validated. On the bridge’s Solana side, the attackers were able to create a “Validator Action Approval” (VAA). They created unbacked tokens that they subsequently redeemed by minting 120,000 wETH (wrapped Ethereum) on Solana using this fictitious VAA without first depositing the actual ETH on the Ethereum chain.
Meter.io (February 2022): An inaccurate assumption regarding wrapped native tokens was the cause of this attack. Due to a flaw in the bridge’s handling of some tokens, specifically wrapped BNB (BNB.bsc), attackers were able to manufacture and withdraw valuable assets without the necessary backing by using the bridge’s acceptance of valueless tokens as valid collateral.
Ronin Bridge (March 2022): This was a serious attack including private key compromise. For transaction signing, the Ronin Network employed a 5-of-9 validator multisig approach. Through social engineering, the attackers were able to get five private keys four from Sky Mavis and one from an outside Axie DAO validator. They were able to sign and authorize illegal withdrawals of 173,600 ETH and 25.5 million USDC using most of the keys, which led to a $624 million loss. Notably, the intrusion was uncovered six days after it happened.
Harmony Bridge (June 2022): The private keys of two of the five multisig validators were compromised in this exploit, much like in Ronin. The attackers were able to authorize fake transactions and take out about $100 million from the bridge’s coffers as a result.
Nomad Bridge (August 2022): The trusted root was improperly initialized to 0x00 due to a smart contract default, which led to this vulnerability. Because of this serious issue, every message was effectively auto-proved, enabling users to fake transactions and withdraw money that wasn’t rightfully theirs. Due to widespread participation, the attack swiftly turned into a “free-for-all” and cost $190 million.
Binance Bridge (October 2022): A flaw in the IAVL Merkle proof verification system was abused in this attack. A flaw in a precompiled contract that managed Merkle tree validations was used by the attackers. They created a fake Merkle proof that enabled them to create a legitimate transaction, which resulted in the illegal transfer of 2 million BNB, which at the time was valued at more than $570 million.
Multichain Bridge (July 2023): According to reports, the CEO of Multichain was in possession of hacked private keys, which resulted in large-scale unauthorized withdrawals from many bridge routes, causing a substantial disruption and financial loss for customers.
Cellframe Network (June 2023): Issues with token counts during a liquidity transfer led to this lightning credit attack. In order to permit withdrawals that are not adequately backed, the specifics frequently entail adjusting the perceived balance or credit inside the bridge’s liquidity pools.
Orbit Chain (January 2024): Using this attack, seven out of ten multisig private keys were compromised. The attackers were able to syphon off a sizable amount of money from the bridge as they had most of the validator keys.
ALEX bridge (May 2024): Security firms claimed that the $4.3 million in suspicious transactions in this instance were probably the result of a hacked private key after the protocol’s deployer account upgraded its contract.
Socket Interoperability Protocol (January 2024): An “infinite-approval wallet.” This kind of vulnerability usually gives an attacker limitless spending power from a compromised wallet that had previously granted indefinite permission to a malicious or abused contract. The bug affected a “infinite agreement wallet.”
Are Crypto Bridges Safe?
Not all blockchain bridges are “unsafe,” yet they weaken the Web3 ecosystem. Users should check the operational history of any bridge protocol they plan to employ for hacks, third-party security assessments, and security protocols and leadership. Bridges that are trustworthy and those that are not have both been compromised in the past. Although developers are constantly attempting to build more secure bridges, consumers must exercise caution and make educated decisions.