Cross-chain bridges security incident review: nearly $2 billion in funds affected, some have been recovered or compensated.

In recent years, with the rapid development of the blockchain ecosystem, cross-chain bridges have become prominent targets for hacker attacks due to their high capital liquidity, serving as important infrastructure connecting different public chains. This article will review significant recent security incidents involving cross-chain bridges, analyze their causes, and discuss the subsequent handling of these events.

ChainSwap: Lost approximately $8.8 million in two attacks.

In July 2021, ChainSwap suffered two hacker attacks within just 9 days. The first incident resulted in a loss of approximately $800,000, while the second caused a loss of around $8 million, affecting over 20 projects that used its services. The cause of the attack was the protocol's failure to strictly verify the validity of transaction signatures. As the primary loss involved governance tokens, several affected projects opted to take snapshots and reissue tokens to compensate their holders.

Poly Network: $610 million in stolen funds fully recovered

In August 2021, the cross-chain protocol Poly Network suffered the largest DeFi attack at the time, involving funds of up to $610 million. The attackers exploited a vulnerability in the contract's permission management to successfully replace the validator addresses and transfer assets. However, the hackers ultimately chose to return all the funds, and Poly Network referred to them as "white hat hackers" and expressed a willingness to hire them as security consultants.

Multichain: $6 million vulnerability loss, partial compensation has been made

In January 2022, Multichain discovered a significant vulnerability affecting multiple tokens. Approximately 7,962 user addresses were impacted, resulting in a loss of $6.04 million. The reason was a flaw in the contract when verifying the legitimacy of user-submitted Tokens. The Multichain team recovered nearly 50% of the stolen funds and proposed a compensation plan, but it was only available to users who revoked their authorization before a specified date.

QBridge: $80 million loss, slow compensation progress

At the end of January 2022, the cross-chain bridge QBridge of the Qubit lending protocol was attacked, resulting in a loss of approximately $80 million. The attacker exploited a vulnerability in the contract that did not verify the zero address a second time, minting a large number of tokens out of thin air on BSC and cashing them out. Currently, Qubit's usage rate is extremely low, and 98% of the stolen funds have not been compensated.

Meter.io: 4.4 million USD loss, plans to compensate with future earnings

In February 2022, the Meter Passport cross-chain bridges were attacked due to a "faulty trust assumption" in the code, resulting in a loss of $4.4 million. The project team initially proposed compensation using MTRG tokens, but later changed to issuing a new token, PASS, and promised to buy back using future earnings, but no substantial compensation has been made to date.

Ronin: $620 million stolen, full compensation has been paid.

In March 2022, the Ronin chain behind Axie Infinity suffered a massive attack of $620 million. The attackers gained control of multiple validation nodes through social engineering. Although the stolen funds could not be recovered, the developers, Sky Mavis, raised $150 million through financing to compensate users for their losses.

Wormhole: $326 million vulnerability has been compensated

In February 2022, the cross-chain protocol Wormhole was attacked due to a contract signature verification error on the Solana side, resulting in a loss of approximately $326 million. Jump Crypto quickly injected an equivalent amount of funds into Wormhole to restore its normal operations.

EvoDeFi: Estimated losses of over ten million dollars, not addressed.

In June 2022, the USDT on the Oasis ecosystem DEX ValleySwap severely depegged due to insufficient liquidity in the EvoDeFi cross-chain bridges it utilized. The specific amount of loss is unknown, but it is estimated to be in the tens of millions of dollars. Currently, the parties involved have not provided any solutions, and the project team seems to have ceased operations.

Horizon: Nearly $100 million loss, compensation plan still in development.

In June 2022, Harmony's official cross-chain bridge Horizon was attacked due to a private key leak, resulting in a loss of approximately $100 million. The project team initially proposed to compensate through a phased issuance of tokens, but it did not gain community support. They are currently working on a new compensation plan.

Nomad: $190 million stolen, part of the funds may be recovered

In August 2022, Nomad lost $190 million due to a contract upgrade error. The attack affected 1,251 addresses, with ENS addresses accounting for 38% of the total amount. Some white-hat hackers have expressed willingness to return the funds, but the project team has not yet provided a clear compensation plan.

Summary

Cross-chain bridges are a high-risk area, and even top projects are not immune to security incidents. In comparison, projects with strong backgrounds and sufficient funding tend to handle crises more appropriately, often able to recover losses through asset recovery or compensation. Additionally, effective real-time monitoring and rapid response mechanisms are key to preventing and mitigating losses from attacks. Users should be particularly cautious when choosing cross-chain bridges, prioritizing projects with higher security and stronger risk response capabilities.