Review of Cross-Chain Bridge Security Incidents: Top Ten Cases Involved Over $1.9 Billion

In recent years, with the vigorous development of the blockchain ecosystem, cross-chain bridges have become an important infrastructure connecting different public chains, and their security has attracted much attention. However, due to holding a large amount of funds and frequently conducting cross-chain operations, cross-chain bridges have become prime targets for hacker attacks. This article will review ten major security incidents involving cross-chain bridges, with total funds exceeding $1.9 billion, of which approximately $1.55 billion has been recovered or compensated.

1. ChainSwap: Loss of approximately $8.08 million due to two attacks

In July 2021, ChainSwap suffered two hacker attacks. The first loss was approximately $800,000, and the second loss was about $8 million, affecting more than 20 projects using ChainSwap for cross-chain transactions. The cause of the incident was that the protocol did not strictly verify the validity of signatures. Several affected projects chose to take snapshots and reissue tokens to compensate holders and liquidity providers.

2. Poly Network: All $610 million stolen has been recovered

In August 2021, Poly Network suffered a hacker attack, resulting in a loss of approximately $610 million in assets across Ethereum, Binance Smart Chain, and Polygon. The attacker exploited a vulnerability in contract permission management to successfully replace the validator addresses on the target chains. Ultimately, the hacker returned all the funds, and Poly Network even invited them to serve as Chief Security Advisor.

3. Multichain: Vulnerability Causes $6 Million Loss, Compensation Paid

In January 2022, Multichain discovered a significant vulnerability affecting multiple tokens. Approximately 7962 user addresses were impacted, resulting in a loss of about $6.04 million. The issue was due to a problem in the contract when verifying the legitimacy of the tokens submitted by users. The team has recovered nearly 50% of the stolen funds and has compensated users who promptly revoked their authorizations.

4. QBridge: $80 million stolen, only 2% compensated

At the end of January 2022, the cross-chain bridge QBridge of the lending protocol Qubit was attacked, resulting in a loss of approximately $80 million. The attacker exploited a vulnerability in the contract when processing whitelisted tokens, minting a large amount of xETH tokens out of thin air on BSC. Currently, the usage rate of Qubit is very low, and 98% of the stolen funds have not been compensated.

5. Meter.io: $4.4 million loss, promises to compensate with future earnings

In February 2022, the Meter Passport cross-chain bridges were attacked, resulting in a loss of 4.4 million USD. The issue stemmed from a "faulty trust assumption" in the underlying code, which allowed hackers to forge BNB and ETH transfers. Meter decided to issue a new token, PASS, to compensate users and promised to buy back with future profits, but this has not yet been implemented.

6. Ronin: $620 million stolen, fully compensated

In March 2022, the Ronin chain behind Axie Infinity suffered an attack worth $620 million. The hackers gained control of the validators through social engineering. Although the stolen funds could not be recovered, the developers Sky Mavis raised $150 million through financing to compensate user losses.

7. Wormhole: $326 million loss, compensation has been paid

In February 2022, Wormhole was attacked by hackers, resulting in a loss of approximately $326 million. The attackers exploited a signature verification vulnerability in the Solana side contract to forge messages and mint a large amount of whETH. Jump Crypto quickly injected 120,000 ETH into Wormhole to cover the entire loss.

8. EvoDeFi: Estimated losses exceed tens of millions of dollars, unresolved

In June 2022, USDT on the Oasis ecosystem DEX ValleySwap severely depegged, with estimated losses of tens of millions of dollars. The reason may be insufficient liquidity on the source chain of the EvoDeFi cross-chain bridge or the existence of a backdoor. Related parties did not provide any solutions, and user losses cannot be recovered.

9. Horizon: Nearly $100 million stolen, compensation plan in development.

In June 2022, Harmony's official cross-chain bridge Horizon was attacked, resulting in a loss of approximately $100 million. The founder admitted that it might have been caused by a private key leak. The project team is currently negotiating with the community to formulate a compensation plan.

10. Nomad: $190 million stolen, processing

In August 2022, $190 million in liquidity was quickly drained from the Nomad bridge. The reason was a contract upgrade that incorrectly initialized the trusted root to 0x00, allowing anyone to withdraw funds. The project team has not provided a clear compensation plan, and some white hat hackers have expressed their willingness to return the funds.

Summary

The frequent occurrence of security incidents with cross-chain bridges warns us to remain highly vigilant. Even top-ranked liquidity bridges such as Multichain, Wormhole, and Poly Network have encountered attacks. Relatively speaking, projects with strong backgrounds and ample capital are often better able to handle subsequent compensation or asset recovery when faced with security issues. At the same time, the team's real-time monitoring and rapid response capabilities are also key to preventing attacks. Users should prioritize projects with a good reputation and strong technical support when choosing cross-chain bridges to mitigate potential risks.