Cross-chain Bridges Security Incident Review: Top Ten Attacks Involving Over $1.9 Billion

Cross-chain bridges, as important infrastructure connecting different blockchain networks, have frequently become targets of hacker attacks in recent years. This article will review ten significant security incidents involving cross-chain bridges, with a total amount of funds exceeding 1.9 billion USD, of which approximately 1.55 billion USD has been recovered or compensated. These cases highlight the security risks of cross-chain bridges while also providing valuable lessons for the industry.

ChainSwap: Approximately $8.8 million lost in two attacks

In July 2021, ChainSwap suffered two consecutive hacker attacks. The first resulted in a loss of about $800,000, and the second in a loss of about $8 million, affecting more than 20 projects that used the cross-chain bridges. Investigations revealed that the attacks originated from the protocol's failure to strictly verify the validity of signatures. Ultimately, several affected projects chose to take snapshots and reissue tokens to compensate users for their losses.

Poly Network: $610 million stolen has been fully recovered

In August 2021, Poly Network suffered the largest cross-chain bridge attack at the time, involving funds of up to $610 million. The attacker exploited a vulnerability in contract permission management and successfully replaced the validator address on the target chain. However, the incident ultimately ended positively, as the attacker returned all the funds and was referred to by the project team as a "white hat hacker."

Multichain: $6 million loss has been partially compensated

In January 2022, Multichain discovered a significant vulnerability affecting multiple tokens. Although the vulnerability has been fixed, approximately $6 million in assets were stolen. The cause was a flaw in the contract when verifying the legitimacy of the tokens entered by users. Afterwards, the team recovered nearly 50% of the stolen funds and compensated users who revoked their authorizations in a timely manner.

QBridge: Only 2% Compensation for $80 Million Loss

At the end of January 2022, the cross-chain bridge QBridge of the lending platform Qubit was attacked, resulting in a loss of about $80 million. The attackers exploited a vulnerability in the contract when processing whitelisted tokens, successfully minting a large number of fake tokens on BSC. As of now, most of the stolen funds have not been compensated, and Qubit's usage rate has also significantly declined.

Meter.io: $4.4 million loss compensated by future earnings

In February 2022, the Meter Passport cross-chain bridges were attacked due to an "error of trust assumption" in the code, resulting in a loss of $4.4 million. The project team ultimately decided to issue a new token, PASS, for compensation and promised to buy back these tokens with future earnings.

Ronin: $620 Million Stolen After Receiving Financing Compensation

In March 2022, the Ronin chain of the game Axie Infinity suffered a massive attack amounting to $620 million. This was a typical social engineering attack, where hackers gained system access by fabricating job opportunities. Although the stolen funds could not be recovered, the development team Sky Mavis raised $150 million to compensate user losses.

Wormhole: Instant Compensation for $326 Million Loss

In February 2022, Wormhole suffered an attack of $326 million due to a vulnerability in the Solana-side contract verification. Notably, Jump Crypto, the team behind the project, quickly injected an equivalent amount of funds, allowing the platform to resume normal operations.

EvoDeFi: Amount of loss not specified, may have run away

In June 2022, the DEX ValleySwap in the Oasis ecosystem encountered a severe asset de-pegging issue due to the use of the EvoDeFi cross-chain bridges. The specific amount of losses has not been disclosed, but it is estimated to be in the tens of millions of dollars. Unfortunately, it seems that the parties involved have ceased operations, and user losses have yet to be resolved.

Horizon: Nearly $100 million loss, compensation plan pending

In June 2022, Harmony's official cross-chain bridge Horizon was attacked, resulting in losses of nearly $100 million. Investigations indicate that this may have been caused by a private key leak. The project team had proposed compensating users by issuing additional tokens, but the plan has not yet been finalized.

Nomad: $190 million stolen, part of the funds may be recovered

In August 2022, the Nomad cross-chain bridge suffered an attack of $190 million due to a contract initialization error. This error allowed anyone to withdraw funds from the bridge. Although there is currently no clear compensation plan, some white hat hackers have expressed their willingness to return the funds.

Summary

These cases indicate that even leading cross-chain bridges projects face significant security risks. Notably, projects with strong financial backing and a solid background are often able to handle crises more effectively after an attack or compensate through their own resources. This reminds users that when choosing cross-chain bridges, they should consider not only technical factors but also assess the strength and reputation of the project team. At the same time, project teams need to strengthen real-time monitoring and rapid response mechanisms to minimize potential losses.