Exploring the hacks that lead to million-dollar losses.
Cross-chain bridges don’t need an introduction. They have been used for a while and are an awesome way to move funds from one chain to another. Bridges help better our experience in Web3, as QuillAudits helps better the security of protocols. As bridges deal with a lot of funds, it is only reasonable to ensure their safety, and safety is often the top priority in such protocols. Still, 2022 was full of cross-chain hacks.
- January: Qubit — $80 million
- February: Wormhole — $375 million
- March: Ronin Bridge— $624 million
- June: Harmony — $97 million
- August: Nomad Bridge— $190 million
Let’s talk individually about each cross-chain hack mentioned above to learn what went wrong with them and educate ourselves to make better decisions.
On 27th January 2022, Qubit, an example of a cross-chain bridge, was hacked. The series of transactions were as follows, after getting 77,162 qxETH through an exploit, the attacker used it to borrow 15,688 wETH and then convert it to 767 BTC-B then using these funds to get hold of stablecoins and put in some protocols. This whole resulted in $80 million of total value lost.
Surprisingly, this exploit resulted from a logical error in Qubit Finance’s code. This flaw allowed the attackers to send malicious inputs to the contract functions resulting in the withdrawal of tokens on BSC while no deposit was made on Ethereum.
Qubit contract code
At the very core of this exploited vulnerability was the tokenAddress.safeTransferFrom() function in Qubit Finance’s code, the attacker realised that this function does not revert when the tokenAddress is null.
The wormhole, one of the popular bridges facilitating cross-chain transactions linking the Solana and ethereum blockchains, lost around $320 million, standing second to the Ronin bridge(more on this later) in 2022.
On 2nd February 2022, the attacker attempted to bypass the verification process of the Wormhole bridge on Solana. The attacker bypassed the verification step and successfully injected a fake sysvar account and notoriously minted 120,000 wETH. A tweet on the 3rd of February announced the $320 million worth of exploitation on their protocol. To put a stitch on the situation, Wormhole’s parent company declared the supply of ether to replace what was stolen after getting no response for an award of $10 million in return for the stolen funds to the attacker.
You would be surprised to know that all this was possible because of just 1 deprecated function. YES!!, the root of this exploit was a deprecated function “load_current_index” under the “verify_signatures”, which deals with the verification process. The issue with the deprecated function “load_current_index” was that it did not verify the genuineness of the inputted “sysvar account” to be actually “system sysvar” which created room for the attacker to exploit.
A stealthy hack which wasn’t even noticed for the next 6 days until a user notified the team of the inability to withdraw about 5k ETH from the bridge, which led to the uncovering of the stolen funds.
This hack is allegedly an attack by a North Korean Lazarus Group and resulted in a loss of around $600 million. This was a hack based on the compromisation of the private keys of the validator nodes with the spear phishing attacks as the main cause for the exploit.
The ronin network uses a set of nine validator nodes to approve a transaction on the bridge, and a deposit or withdrawal needs the approval of the majority, that is, five of these nodes. In November 2021, Axie DAO temporarily allowed Sky Mavis to sign transactions on its behalf, but guess what? The allowance was never revoked.
This means that Sky Mavis could still generate signatures. The attacker took advantage of this and first compromised the Sky Mavis systems and exploited these signatures to generate a signature from the third-party validator controlled by Axie DAO. In short, with access to Sky Mavis systems, the attacker could generate valid signatures for five ronin Network validators and then successfully drain funds.
On 23rd June 2022, the Harmony bridge was compromised, and various tokens were netted on the bridge, including ETH, WETH, WBTC, USDT, USDC, etc. With a record of around $97 million in loss, Harmony bridge fell victim to a cross-chain hack similar to Ronin.
To make a transaction, the user would need at least 2 out of 5 MultiSig, which means that 2 keys out of a total of 5 keys were required to validate a transaction. But the attackers compromised 2 keys to drain the money. This was all possible because the attackers could access and decrypt a sufficient number of these keys.
It was 1st August 2022 when the Nomad Bridged faced an exploit resulting in a $190 million loss. It was a cross-chain bridge between Ethereum, Moonbeam, Avalanche, Evmos and Mikomeda.
Standing in the third position with a $190 Million loss, the bridge was compromised due to a vulnerability in the initialisation process, allowing the attackers to bypass the verification process and drain funds from the bridge contract.
The attacker could directly call the “process()” function, which took a parameter “_message”. The attacker with an arbitrary “_message” was able to bypass the verification. Later the contract had to ensure that the message hash was proven using the acceptableRoot() function. Then it all boils down to the “prove()” function, which has a required statement to be fulfilled. The attacker could successfully execute the attack just because the zero as a valid confirmed root could bypass the required check.
By the stats of 2022, it is clear that bridges have been a target resulting in losses worth millions. The 5 exploits on the cross-chain protocols accounted for around 56% of the total Web3. Despite being one of the most useful tools, the security of the bridges is lacking and falling victim to the attacks.
We will likely see more such attacks on the bridges soon. In these circumstances, it is of utmost importance for the bridges to secure themselves and their users. In the upcoming blog, we will be back with an audit guideline to help you understand a few of the crucial checks we need to ensure the protocol’s safety.
Meanwhile, remember that there is no alternative to going for an audit. With an audit, you can be sure about security. Not only that, the users will hesitate to trust the protocol. Getting audited is in favour of everyone, so get your project audited and help make Web3 a safer place. And who better to audit than QuillAudits? Visit our Website today and check out more such blogs.