Top 11 DeFi Cross-Chain Bridge Attacks of 2022: Hackers Bag Over $2 Billion

10 October 2022, 10:34 GMT+0000
Updated by Kyle Baird
10 October 2022, 10:35 GMT+0000

BNB Chain lost 2 million BNB coins worth $568 million in a cross-bridge exploit last week. The incident is yet another on the list of major DeFi attacks that have occurred through 2021-22, resulting in a loss of over $2 billion.

While the recent attack is reported to be due to a flaw in message verification by the validators, Blockchain security infrastructure firm BlockSec highlighted that crypto and DeFi bridges have historically been sought-after targets by attackers.

BSC Bridge: $568M

The BNB (BSC) Bridge exploit occurred due to a message verification weakness, which, according to security researcher Samczsun, happened due to an attacker finding a way to forge proof for a particular block.

At first, the platform temporarily suspended operations on the BNB Chain due to “irregular activity,” only to later confirm it was an exploit.

Nomad attacks: $200M

Back in August, hackers exploited Nomad due to a similar message verification vulnerability, but in the target chain contract, which allowed the attackers to steal around $200 million in cryptocurrency.

The incident shook the entire cryptosphere because the hackers went all the way to impersonate Nomad employees to steal even more funds.

Harmony Bridge: $100M

In June, Harmony stated that it had discovered attacks on the Horizon bridge that drained $100 million worth of various crypto assets due to a private key leak. The Horizon bridge, which connects the Harmony blockchain to Ethereum, Binance Smart Chain, and Bitcoin, suffered a multi-sig wallet flaw that impacted about 65,000 wallets and 14 asset kinds.

/Related

More Articles
Ransomware Hack DeFi Attacks

Ronin Bridge: $600M

In March of this year, approximately $600 million in ETH and USDC were stolen from Ronin Network, the Ethereum-based sidechain for the well-known cryptocurrency game Axie Infinity.

The attacker allegedly used hacked private keys to fabricate bogus withdrawals from the Ronin bridge contract in two transactions.

Meter.io DeFi: $4.2M

On Feb. 5, 2022, the blockchain infrastructure business Meter, which works in the DeFi sector, lost $4.4 million in a bridge hack. The hacker reportedly swindled 1,391 ETH and 2.74 BTC after the bad actor exploited a bug introduced onto the bridge by the Meter team.

The weakness was reportedly due to a logical vulnerability in depositing funds.

Wormhole: $325M

The Wormhole protocol, a well-known cross-chain cryptocurrency link between Solana, Ethereum, Avalanche, and other chains, was hacked on Feb. 2 when approximately $325 million in wrapped ETH was stolen. In order to ensure that wETH is backed 1:1, the company stated that more ETH would be added.

This weakness was also reportedly because of a logical vulnerability in depositing funds.

Multichain: $1.4M

Due to a serious flaw in the logical codes used to deposit money into Multichain (formerly known as Anyswap), one of the biggest crypto token swapping platforms, at least $1.41 million was stolen by cybercriminals.

To protect their funds, Multichain advised its users to delete their approvals for WETH, PERI, OMT, WBNB, MATIC, and AVAX if they had already approved any of the six assets on the Router.

QBridge: $80M

Qubit Finance was exploited in the early hours of Jan. 28 after a malicious actor reportedly exploited the DeFi protocol to mint unlimited tokens on the Binance Smart Chain-based platform.

The logical vulnerability was exploited several times to increase the loot, which totaled nearly $80 million, making this hack one of the largest in DeFiYield’s Rekt database. The hacker made the platform think they had made a deposit; however, they traded the assets for BNB and disappeared.

DeFi Hack Exploit

Poly Network: $600M

Poly Network announced via Twitter in August 2021 that it was attacked on the Binance, Ethereum, and Polygon networks. The protocol that swaps tokens across several blockchains sent trembles into the markets after becoming one of the largest attacks at the time, with stolen funds including $273 million ETH, $253 million in BSC tokens, and $85 million in USDC taken from the Polygon network.

However, the hacker ‘Mr. White Hat’ returned almost all the funds that they stole.

ChainSwap: $8M

DeFi cross-chain platform ChainSwap also suffered an $8-million exploit in July 2021 that affected no less than ten projects with the attack.

The hack also impacted the user-governed forecast protocol Option Room. According to a tweet they issued on July 10, the attackers stole $550,000 worth of their native token ROOM. This was the second exploit in the same month occurring due to a message verification flaw on the target chain contract.

THORChain: $7.6M

Cross-chain decentralized exchange (DEX) THORChain was attacked for the third time in 2021 and the second time within a week after a $5 million flash loan attack.

In July 2021, the protocol stated that the platform lost around $8 million due to an event verification flaw and that the attack was carried out by a benevolent white-hat hacker that has requested a 10% bounty.

Notably, when hackers find weaknesses in the blockchain’s internal logic, which includes exploiting verification that is used to deposit funds or other cross-chain functions, major attacks are reported.

DeFi future: Multi-chain vs. cross-chain

Ethereum co-founder Vitalik Buterin had previously argued that while he supports a multi-chain web3 future, he doesn’t think cross-chains are sustainable due to their innate security fears.

He stated, “The fundamental security limits of bridges are actually a key reason why while I am optimistic about a multi-chain blockchain ecosystem (there really are a few separate communities with different values, and it’s better for them to live separately than all fight over influence on the same thing), I am pessimistic about cross-chain applications.”

According to Buterin, the incidence of attacks increase as more DeFi cross-chain bridges and apps are used. He also argued that cross-chains bring about an “anti-network” effect, explaining, “No one will 51% attack Ethereum just to steal 100 Solana-WETH.”

“But if there’s 10 million ETH or SOL in the bridge, then the motivation to make an attack becomes much higher, and large pools may well coordinate to make the attack happen,” he added.

At the time of writing, the global cryptocurrency market cap on CoinGecko stands close to $990 billion as the market attempts to recover from the latest heist. However, Bitcoin continues to trade under the crucial level of $20,000 at press time, while BNB is trading in the 24-hour range of $281.34 and $294.61.

Disclaimer

The information provided in independent research represents the author's view and does not constitute investment, trading, or financial advice. BeinCrypto doesn’t recommend buying, selling, trading, holding, or investing in any cryptocurrencies