Part 1: Bridging the Blockchain: A Deep Dive into Cross-Chain Hacks and Failures

Part 1: Bridging the Blockchain: A Deep Dive into Cross-Chain Hacks and Failures

Part 1: Bridging the Blockchain: A Deep Dive into Cross-Chain Hacks and Failures

Part 1: Bridging the Blockchain: A Deep Dive into Cross-Chain Hacks and Failures

Part 1: Bridging the Blockchain: A Deep Dive into Cross-Chain Hacks and Failures

Table Of Content
Read Time: 5 minutes

Exploring the hacks that lead to million-dollar losses.

Cross-chain bridges don’t need an introduction. They have been used for a while and are an awesome way to move funds from one chain to another. Bridges help better our experience in Web3, as QuillAudits helps better the security of protocols. As bridges deal with a lot of funds, it is only reasonable to ensure their safety, and safety is often the top priority in such protocols. Still, 2022 was full of cross-chain hacks. 

  • January: Qubit — $80 million
  • February: Wormhole — $375 million
  • March: Ronin Bridge— $624 million
  • June: Harmony — $97 million
  • August: Nomad Bridge— $190 million

What Happened?

Let’s talk individually about each cross-chain hack mentioned above to learn what went wrong with them and educate ourselves to make better decisions.

Qubit

On 27th January 2022, Qubit, an example of a cross-chain bridge, was hacked. The series of transactions were as follows, after getting 77,162 qxETH through an exploit, the attacker used it to borrow 15,688 wETH and then convert it to 767 BTC-B then using these funds to get hold of stablecoins and put in some protocols. This whole resulted in $80 million of total value lost.

Surprisingly, this exploit resulted from a logical error in Qubit Finance’s code. This flaw allowed the attackers to send malicious inputs to the contract functions resulting in the withdrawal of tokens on BSC while no deposit was made on Ethereum.

Qubit contract code

At the very core of this exploited vulnerability was the tokenAddress.safeTransferFrom() function in Qubit Finance’s code, the attacker realised that this function does not revert when the tokenAddress is null.

Wormhole

The wormhole, one of the popular bridges facilitating cross-chain transactions linking the Solana and ethereum blockchains, lost around $320 million, standing second to the Ronin bridge(more on this later) in 2022.

On 2nd February 2022, the attacker attempted to bypass the verification process of the Wormhole bridge on Solana. The attacker bypassed the verification step and successfully injected a fake sysvar account and notoriously minted 120,000 wETH. A tweet on the 3rd of February announced the $320 million worth of exploitation on their protocol. To put a stitch on the situation, Wormhole’s parent company declared the supply of ether to replace what was stolen after getting no response for an award of $10 million in return for the stolen funds to the attacker.

You would be surprised to know that all this was possible because of just 1 deprecated function. YES!!, the root of this exploit was a deprecated function “load_current_index” under the “verify_signatures”, which deals with the verification process. The issue with the deprecated function “load_current_index” was that it did not verify the genuineness of the inputted “sysvar account” to be actually “system sysvar” which created room for the attacker to exploit.

Source:- Link

Ronin Bridge

A stealthy hack which wasn’t even noticed for the next 6 days until a user notified the team of the inability to withdraw about 5k ETH from the bridge, which led to the uncovering of the stolen funds.

This hack is allegedly an attack by a North Korean Lazarus Group and resulted in a loss of around $600 million. This was a hack based on the compromisation of the private keys of the validator nodes with the spear phishing attacks as the main cause for the exploit.

The ronin network uses a set of nine validator nodes to approve a transaction on the bridge, and a deposit or withdrawal needs the approval of the majority, that is, five of these nodes. In November 2021, Axie DAO temporarily allowed Sky Mavis to sign transactions on its behalf, but guess what? The allowance was never revoked.

This means that Sky Mavis could still generate signatures. The attacker took advantage of this and first compromised the Sky Mavis systems and exploited these signatures to generate a signature from the third-party validator controlled by Axie DAO. In short, with access to Sky Mavis systems, the attacker could generate valid signatures for five ronin Network validators and then successfully drain funds.

Harmony

On 23rd June 2022, the Harmony bridge was compromised, and various tokens were netted on the bridge, including ETH, WETH, WBTC, USDT, USDC, etc. With a record of around $97 million in loss, Harmony bridge fell victim to a cross-chain hack similar to Ronin.

To make a transaction, the user would need at least 2 out of 5 MultiSig, which means that 2 keys out of a total of 5 keys were required to validate a transaction. But the attackers compromised 2 keys to drain the money. This was all possible because the attackers could access and decrypt a sufficient number of these keys.

Nomad Bridge

It was 1st August 2022 when the Nomad Bridged faced an exploit resulting in a $190 million loss. It was a cross-chain bridge between Ethereum, Moonbeam, Avalanche, Evmos and Mikomeda.

Standing in the third position with a $190 Million loss, the bridge was compromised due to a vulnerability in the initialisation process, allowing the attackers to bypass the verification process and drain funds from the bridge contract.

The attacker could directly call the “process()” function, which took a parameter “_message”. The attacker with an arbitrary “_message” was able to bypass the verification. Later the contract had to ensure that the message hash was proven using the acceptableRoot() function. Then it all boils down to the “prove()” function, which has a required statement to be fulfilled. The attacker could successfully execute the attack just because the zero as a valid confirmed root could bypass the required check.

Conclusion

By the stats of 2022, it is clear that bridges have been a target resulting in losses worth millions. The 5 exploits on the cross-chain protocols accounted for around 56% of the total Web3. Despite being one of the most useful tools, the security of the bridges is lacking and falling victim to the attacks. 

We will likely see more such attacks on the bridges soon. In these circumstances, it is of utmost importance for the bridges to secure themselves and their users. In the upcoming blog, we will be back with an audit guideline to help you understand a few of the crucial checks we need to ensure the protocol’s safety.

Meanwhile, remember that there is no alternative to going for an audit. With an audit, you can be sure about security. Not only that, the users will hesitate to trust the protocol. Getting audited is in favour of everyone, so get your project audited and help make Web3 a safer place. And who better to audit than QuillAudits? Visit our Website today and check out more such blogs.

2,939 Views

Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+