Exploring the hacks that result in million-dollar losses.
Cross-chain bridges don’t want an introduction. They’ve been used for some time and are an superior solution to transfer funds from one chain to a different. Bridges assist higher our expertise in Web3, as QuillAudits helps higher the safety of protocols. As bridges cope with quite a lot of funds, it’s only affordable to make sure their security, and security is commonly the highest precedence in such protocols. Nonetheless, 2022 was stuffed with cross-chain hacks.
- January: Qubit — $80 million
- February: Wormhole — $375 million
- March: Ronin Bridge— $624 million
- June: Concord — $97 million
- August: Nomad Bridge— $190 million
Let’s speak individually about every cross-chain hack talked about above to study what went incorrect with them and educate ourselves to make higher choices.
On twenty seventh January 2022, Qubit, an instance of a cross-chain bridge, was hacked. The series of transactions were as follows, after getting 77,162 qxETH through an exploit, the attacker used it to borrow 15,688 wETH and then convert it to 767 BTC-B then using these funds to get hold of stablecoins and put in some protocols. This whole resulted in $80 million of total value lost.
Surprisingly, this exploit resulted from a logical error in Qubit Finance’s code. This flaw allowed the attackers to send malicious inputs to the contract functions resulting in the withdrawal of tokens on BSC while no deposit was made on Ethereum.
Qubit contract code
At the very core of this exploited vulnerability was the tokenAddress.safeTransferFrom() function in Qubit Finance’s code, the attacker realised that this function does not revert when the tokenAddress is null.
The wormhole, one of the popular bridges facilitating cross-chain transactions linking the Solana and ethereum blockchains, lost around $320 million, standing second to the Ronin bridge(more on this later) in 2022.
On 2nd February 2022, the attacker attempted to bypass the verification process of the Wormhole bridge on Solana. The attacker bypassed the verification step and successfully injected a fake sysvar account and notoriously minted 120,000 wETH. A tweet on the 3rd of February announced the $320 million worth of exploitation on their protocol. To put a stitch on the situation, Wormhole’s parent company declared the supply of ether to replace what was stolen after getting no response for an award of $10 million in return for the stolen funds to the attacker.
You would be surprised to know that all this was possible because of just 1 deprecated function. YES!!, the root of this exploit was a deprecated function “load_current_index” under the “verify_signatures”, which deals with the verification process. The issue with the deprecated function “load_current_index” was that it did not verify the genuineness of the inputted “sysvar account” to be actually “system sysvar” which created room for the attacker to exploit.
A stealthy hack which wasn’t even noticed for the next 6 days until a user notified the team of the inability to withdraw about 5k ETH from the bridge, which led to the uncovering of the stolen funds.
This hack is allegedly an attack by a North Korean Lazarus Group and resulted in a loss of around $600 million. This was a hack based on the compromisation of the private keys of the validator nodes with the spear phishing attacks as the main cause for the exploit.
The ronin network uses a set of nine validator nodes to approve a transaction on the bridge, and a deposit or withdrawal needs the approval of the majority, that is, five of these nodes. In November 2021, Axie DAO temporarily allowed Sky Mavis to sign transactions on its behalf, but guess what? The allowance was never revoked.
This means that Sky Mavis could still generate signatures. The attacker took advantage of this and first compromised the Sky Mavis systems and exploited these signatures to generate a signature from the third-party validator controlled by Axie DAO. In short, with access to Sky Mavis systems, the attacker could generate valid signatures for five ronin Network validators and then successfully drain funds.
On 23rd June 2022, the Harmony bridge was compromised, and various tokens were netted on the bridge, including ETH, WETH, WBTC, USDT, USDC, etc. With a record of around $97 million in loss, Harmony bridge fell victim to a cross-chain hack similar to Ronin.
To make a transaction, the user would need at least 2 out of 5 MultiSig, which means that 2 keys out of a total of 5 keys were required to validate a transaction. But the attackers compromised 2 keys to drain the money. This was all possible because the attackers could access and decrypt a sufficient number of these keys.
It was 1st August 2022 when the Nomad Bridged faced an exploit resulting in a $190 million loss. It was a cross-chain bridge between Ethereum, Moonbeam, Avalanche, Evmos and Mikomeda.
Standing in the third position with a $190 Million loss, the bridge was compromised due to a vulnerability in the initialisation process, allowing the attackers to bypass the verification process and drain funds from the bridge contract.
The attacker could directly call the “process()” function, which took a parameter “_message”. The attacker with an arbitrary “_message” was able to bypass the verification. Later the contract had to ensure that the message hash was proven using the acceptableRoot() function. Then it all boils down to the “prove()” function, which has a required statement to be fulfilled. The attacker could successfully execute the attack just because the zero as a valid confirmed root could bypass the required check.
By the stats of 2022, it is clear that bridges have been a target resulting in losses worth millions. The 5 exploits on the cross-chain protocols accounted for around 56% of the total Web3. Despite being one of the most useful tools, the security of the bridges is lacking and falling victim to the attacks.
We will likely see more such attacks on the bridges soon. In these circumstances, it is of utmost importance for the bridges to secure themselves and their users. In the upcoming blog, we will be back with an audit guideline to help you understand a few of the crucial checks we need to ensure the protocol’s safety.
Meanwhile, remember that there is no alternative to going for an audit. With an audit, you can be sure about security. Not only that, the users will hesitate to trust the protocol. Getting audited is in favour of everyone, so get your project audited and help make Web3 a safer place. And who better to audit than QuillAudits? Visit our Website today and check out more such blogs.