April 27, 2024

How are Blockchain Bridges Hacked?

Aaron Mendoza August 3, 2022

The crypto industry has witnessed an enormous explosion of adoption. Many of the top blockchain networks have amassed large user bases and activity as the space continues to flourish.

Ethereum was the first to allow for smart contracts and provide users, traders, and developers with the tools and opportunities to benefit from its ecosystem of DeFi (decentralized finance) products and applications.

However, as Ethereum’s network grew, its armor began to crack – gas fees went through the roof and users began to experience slower speeds due to network overloads. Soon after came the emergence of other blockchain networks to help solve these issues, with many offering higher speeds, greater efficiency, cheaper transaction fees, and more. 

From this grew the need for a simple way to move digital assets between applications existing on different blockchains – that’s when bridges were introduced. And while bridges are now an essential means to an end in blockchain, malicious actors have found a way to exploit them.

Let’s dive deeper into what bridges are and the problem they’re facing today when it comes to security and hacks.

The Billion-Dollar Blockchain Bridge Problem

Blockchain bridges connect networks allowing the cross-chain transfer of digital assets between each other, allowing for further connectivity. These technologies have grown in popularity as the need has arisen for greater interoperability across networks.

The TVL (Total Value Locked) across all DeFi applications is currently $66+ billion, reaching a peak of around $221 billion in December 2021. Given the massive amount of value sitting within these dApps, it makes for a hunting ground for hackers looking to exploit systems to extract and steal user funds. 

As we lead into the second half of 2022, $1+ billion in funds have already been stolen as a result of blockchain bridge hacks. This is becoming a growing concern for the entire DeFi space and the promise of multi-chain ecosystems.

Since cross-chain bridges are essential to connect blockchain ecosystems, the growing amount of hacks, including bad press and news, is damaging the overall perception of the space. Moreover, blockchain bridge hacks can drastically reduce the security of networks and devalue assets, as exploits often present arbitrage opportunities. 

With the increasing danger of cross-chain bridges, users may be disincentivized to use them, slowing adoption as a whole. This is a major problem that needs attention now more than ever.

Major Hacks & Exploits

Several blockchain bridge hacks have had major effects and caused tremendous FUD (Fear, Uncertainty, Doubt), sending shockwaves across the industry. Here’s a list of some of the largest and most impactful to date:

  • Harmony: Recently in June 2022, Harmony revealed that $100 million in funds were stolen from its Horizon Bridge. 11 transactions took place that compromised user assets in ETH, BNB, USDT, USDC, and DAI, which were converted into ETH after the attack. Although exact details of the exploit aren’t known, it was noted that the hacker likely gained access to two multisig private keys to authorize the transfer of stolen assets.
  • Ronin Network: Ronin Network (developed Sky Mavis) was breached in March 2022, where hackers ran away with stealing ~$625 million (173,600 ETH) and 25.5 million USDC. These attackers compromised private keys in order to initiate and fake withdrawals from the platform and were able to gain control over Sky Mavis’ 4 Ronin validators and a third-party validator from Axie DAO. All ETH and USDC deposits were drained from its bridge contract, where users will unable to withdraw or deposit their assets.
  • Poly Network: In August 2021, over $600 million in assets, including USDC, wBTC, wETH, and SHIB were stolen from Poly. Many speculate that the hack may have occurred due to the exposure of a private key utilized to sign the cross-chain message or a bug during Poly’s signing process that was exploited when signing the message.
  • Wormhole: In February 2022, Wormhole was hacked for ~$320 million (120,000 ETH), marking the second-largest DeFi hack to date. Full details of how the hacker carried out the attack are unknown, however it was noted that they exploited the Solana VAA verification and mint tokens to steal funds.
  • Qubit Finance: In January 2022, Qubit Finance was hacked for around $80 million in funds. The hacker managed to compromise 206,809 BNB from the platform’s wallet using a vulnerability within one of its Ethereum blockchain contracts, where a legacy deposit function within the code allows for fake deposits to be made to the bridge’s contract.

Common Attack Methods

When it comes to blockchain bridge hacks, the objective of the attacker is to withdraw tokens from one blockchain without depositing them into another.

The first is a false deposit event. Given that these cross-chain bridges check for deposits (in order to trigger the transfer to the other), attackers can generate deposits without making a real one on the blockchain. Once this has been done, they can withdraw real digital assets from the other corresponding blockchain, essentially creating a false transaction from nothing.

The second is fake deposits, where hackers generate a fake deposit that essentially validates a real one. In essence, this bypasses the validation process where the bridge validates deposits to confirm the transaction can go through.

Last but not least is a validator takeover, where the hacker gains control of a majority of the network’s validators. Once achieved, they can begin approving false transfers on the network and steal funds.

Identifying the Solution

Although it may seem daunting, there are a few measures that can be implemented in order to help mitigate risk and prevent hackers from exploiting blockchain bridges. 

To begin, steps must be taken to increase the ratio of signers for transactions where multisigs are spread across different wallets. This will ensure more protection and make it far more difficult for attackers to gain majority control and have authority/signing power. 

Increased development and innovation across the multi-chain space will also be a critical driver, not only creating a more robust and secure environment but also bringing more brainpower together to find solutions to problems. To that point, executing greater amounts of smart contract security audits or bug bounty programs can improve upon protocol and bridge security as well, fostering greater faith and transparency in DeFi and Web3 products. 

But there’s an entirely new solution taking an alternative approach to revolutionize this space – enter Magpie Protocol.

Facilitating Change with Magpie Protocol

Magie Protocol is setting the stage when it comes to increasing security and efficiency in the cross-chain industry, allowing these interoperable networks to flourish like never seen before. 

We’ve designed our solution to require fewer transactions and confirmations when swapping assets across chains, all in a non-custodial manner. This means that the user always has full control of their assets, creating a more decentralized experience to foster confidence in what we’re building.

So if this is the case, where exactly do bridges come into play? We use these bridges almost solely as a data transfer layer, allowing for near-instant finality when it comes to exchanging and swapping assets in a multi-chain fashion.

All of this ultimately means there are fewer risks and complications when it comes to security and the user experience. We’ve essentially removed direct interactions and facilitation with bridges from the equation, making our solution an attractive alternative to other DeFi applications. 

As we continue to build the underlying foundation of our protocol, we’ll continue to put together the pieces of the puzzle to solve the blockchain bridge problem and make our mark in the industry as the go-to standard for cross-chain swaps.Make sure to follow us on Twitter to stay up to date and join our Discord or Telegram channels for more information.