{"id":746,"date":"2022-10-25T16:08:42","date_gmt":"2022-10-25T16:08:42","guid":{"rendered":"https:\/\/mapleblock.capital\/blog\/?p=746"},"modified":"2022-12-05T11:32:44","modified_gmt":"2022-12-05T11:32:44","slug":"september-2022-bridge-attacks","status":"publish","type":"post","link":"https:\/\/mapleblock.capital\/blog\/september-2022-bridge-attacks\/","title":{"rendered":"September 2022 – Bridge Attacks"},"content":{"rendered":"
<\/div>\n

From the conception of Bitcoin in 2009 to the multi-chain environment we observe today, the crypto space has come a long way, and as the industry developed, so did the spectrum of means to exploit it. Every so often, the industry has suffered from major attacks draining the ecosystem of millions of dollars, and in recent times, the primary victims of these hacks have been blockchain bridges.<\/p>\n\n\n\n

What are Blockchain Bridges, and why are they important?<\/strong><\/h1>\n\n\n\n

The key to enabling interoperability, bridge protocols facilitate the transfer of assets and information across multiple blockchain networks. Blockchains are naturally isolated networks with unique native coins, governance, and consensus mechanisms making cross-chain communication difficult. This is where bridges come in to induce compatibility. Several established networks in the space have distinct features and variable degrees of security, decentralization, transaction speed, and fees. Users predominantly working with one chain may want to move their assets to another desirable network per their requirements. Bridge protocols make this happen.  <\/p>\n\n\n\n

For example, Bob has some $ETH on the Ethereum mainnet and wants to transfer it to his friend but is weary of the network’s high transaction costs. He notices that the L2 solution Polygon offers much better transaction throughput at a minimal cost. Through a bridge protocol, Bod can securely move his $ETH on the mainnet to $wETH or Wrapped $ETH on Polygon. A wrapped token is essentially a cryptocurrency pegged to a native coin that can be used on an external network. <\/p>\n\n\n\n

Bridge-based interoperability will augment the transition to Web3, empowering the ecosystem in various ways:<\/p>\n\n\n\n

Further decentralization of the ecosystem <\/strong><\/h4>\n\n\n\n

While complete decentralization within individual blockchain networks is a primary concern for several blockchain projects, the capacity to establish network interoperability across various blockchains represents an even more advanced realization of the promise of blockchain technology to decentralize systems and economies where thousands of application-specific Layer 1 solutions are interconnected through a decentralized network.<\/p>\n\n\n\n

Scalability and cheaper transactions<\/strong><\/h4>\n\n\n\n

Scalability is another significant issue that blockchain bridges may aid in resolving. Different networks will need to serve more significant transaction volumes and offer faster processing as blockchain gains prominence. Bridges may be utilized to provide scalability solutions where the transactional demand is dispersed throughout chain connections thanks to their capacity to enable cross-chain transfers. Additionally, users may move their assets from a network like Ethereum to a platform with minimal fees through bridges.<\/p>\n\n\n\n

Increasing cryptocurrency payments and acceptance<\/strong><\/h4>\n\n\n\n

Interoperability issues significantly hampered the adoption of cryptocurrencies as a means of payment. Several establishments only took Bitcoin as payment in the form of cryptocurrencies, but the blockchain bridge enables immediate payments at the point of purchase.<\/p>\n\n\n\n

Specialized Web3 services<\/strong><\/h4>\n\n\n\n

 Blockchain protocols’ flexibility to combine and match different pieces of fragmented infrastructure is the key to creating wholly new Web3 instruments and platforms. Many experts contend that interoperable smart contracts could revolutionize sectors like healthcare, law, or real estate, for example, by making it possible for crucial business data to be transferred between private networks and public networks in a customizable and malleable fashion. Interoperability across blockchains may potentially allow for multi-token transactions and multi-token wallet systems, which would considerably simplify the cryptocurrency user experience.<\/p>\n\n\n\n

Types of bridges<\/strong><\/h1>\n\n\n\n

Bridges can be classified based on various criteria:<\/p>\n\n\n\n

Classification based on function<\/strong><\/h4>\n\n\n\n

Chain-To-Chain Bridges: <\/strong>These bridges are primarily made to facilitate the transfer of assets between two specific blockchains and often employ the lock and mint system. Examples: Polygon’s PoS Bridge and Binance bridge between BSC and ETH.<\/p>\n\n\n\n

Multi-Chain Bridges: <\/strong>These bridges are capable of moving assets across different blockchains. They are designed to be deployed to any type of L1 or L2 blockchain solution. Connext and cBridge are a few examples.<\/p>\n\n\n\n

Data-Specific Bridges: <\/strong>These are interoperability protocols that exclusively transmit arbitrary data between various blockchains. These protocols often serve as the foundation for decentralized applications (dApps) and enable cross-chain composability. Examples include IBC, Data Movr, and Celer Inter-Chain Message Framework.<\/p>\n\n\n\n

Classification based on chains bridged<\/strong><\/h4>\n\n\n\n

L1 <> L1 Bridges:<\/strong> These bridges connect different Layer 1 solutions. For example, the Binance bridge and Avalanche bridge would be popular examples.<\/p>\n\n\n\n

L1 <> L2 Bridges:<\/strong> Layer 1 solutions are connected to different Layer 2 solutions built upon them. For example, bridges that connect Ethereum Mainnet to Arbitrum or Optimism.<\/p>\n\n\n\n

L2<>L2 Bridges:<\/strong> The youngest variant in the cross-chain infrastructure domain, these bridges connect different Layer 2 solutions. Example: Orbiter<\/p>\n\n\n\n

Classification based on architecture<\/strong><\/h4>\n\n\n\n

Trusted Bridges:<\/strong> These bridges rely on a centralized system or entity to function. They have trust presumptions on the handling of money and the Bridge’s security. Most users rely on the operator of the Bridge’s reputation. These bridges demand that users cede ownership of their crypto holdings.<\/p>\n\n\n\n

Trustless Bridges: <\/strong>Algorithms and smart contracts are used to operate trustless bridges. They are trustless, meaning that the Bridge’s security and that of the underlying blockchain are identical. Trustless bridges provide customers the ability to maintain control over their money through smart contracts.<\/p>\n\n\n\n

Classification based on asset transfer mechanisms<\/strong><\/h4>\n\n\n\n

Pool\u2013Based Bridges: <\/strong>Under such a mechanism, the bridge operator maintains pools of respective native tokens on either side of the Bridge. For example, a user intending to transfer USDT tokens from Ethereum to Solana must first deposit assets to the bridge contract (pool) on the Ethereum side. The user will provide the Solana address, and the bridge operator deposits Solana native USDT from the Bridge pool on the Solana side into the specified address. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Lock & Mint \/ Burn & Redeem: <\/strong>The “locking” or “burning” followed by the minting or redeeming is another prevalent transfer mechanism. Employing the same example as before, the user again starts by depositing USDT in Ethereum to a bridge-owned contract address and entering the recipient address on Solana, completing the “locking” phase. Bridge then “mints” or issues its own or a “wrapped” version of the deposited asset on the Solana chain and deposits it in the recipient address. The value of these newly created tokens depends on the prospect of one day being able to exchange them for the underlying asset on the sender chain. The wrapped tokens are transmitted back to the sender chain and “burned” on the target chain when the user “redeems” the tokens on the origin chain.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Atomic Swaps: <\/strong>Assets on the source chain are exchanged for assets on the destination chain via atomic swaps. In general, they lack the trustworthiness of lock & mint or burn & mint procedures since they operate through self-executing smart contracts for asset exchanges and do not need a third party.<\/p>\n\n\n\n

Why are bridges vulnerable?<\/strong><\/h1>\n\n\n\n

For two fundamental reasons, cross-chain bridges are inherently insecure.<\/p>\n\n\n\n

First off, bridges merely broaden the attack surface that would-be hackers might exploit by making the bitcoin ecosystem more complicated.<\/p>\n\n\n\n

Second, due to the lack of a larger development community, many are constructed fundamentally differently from the blockchains they connect. As a result, the code is not as thoroughly examined for potential problems. <\/p>\n\n\n\n

Many have described bridges as sitting ducks for hackers. Bridges feature smart contracts on both the blockchains involved in the exchange so that users may trade tokens. Since smart contracts are public, anybody, even malicious parties, may examine them for flaws. Additionally, they are created to be unchangeable and impossible to alter. An updated smart contract must be used to address the problem. It may take time and resources to address this flaw, leaving the Bridge open to future money theft. Additionally, vast quantities of various currencies are required for bridges to trade tokens quickly between blockchains. Because of their enormous reserves, bridges are a popular target for hackers, and the rise in the number of assaults we have observed on bridges is a definite sign that they regard this as a lucrative opportunity.<\/p>\n\n\n\n

Bridges also raise the total risk for the bitcoin ecosystem as a whole since they run the danger of transmitting vulnerability across the ecosystem.<\/p>\n\n\n\n

Bridge Attacks<\/strong><\/h3>\n\n\n\n

Bridge protocols are absolutely essential to actualize the Web3 future, but it is currently the weakest link in the industry infrastructure. With more than $2 billion<\/a> worth of cryptocurrencies stolen across 13 hacks, bridge attacks are now responsible for 69% of stolen funds in 2022.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

ChainSwap <\/strong><\/h4>\n\n\n\n

Then among the leading protocols in the interoperability infrastructure subdomain and backed by prominent venture funds such as Alameda Research and OKEx, Chainswap is a cross-chain asset bridge. On 10th July 2022, the protocol suffered a major attack as hackers exploited the vulnerabilities in Chainswap smart contracts. Back then, Chainswap primarily supported projects to launch Ethereum tokens on Binance Smart Chain (BSC). Highjacking projects’ contracts on BSC, the attackers minted tokens on the chain and proceeded to sell them on the network’s most popular DEX PancakeSwap for $wBNB<\/a>, $BUSD<\/a>, and other coins. The attackers also stole assets from Ethereum mainnet, which were staked in Chainswap’s contracts to sell them for $DAI<\/a>. <\/p>\n\n\n\n

Around 20 projects, including Wilder Worlds, Antimatter, Option Room, Umbrella Network, Blank, Nord Finance, Razor Network, Peri, Unido, Oro, Vortex, Corra, ROCKS, Dafi, and Unifarm lost assets worth over $8 million<\/a>. Over 14 tokens plunged 99% in the aftermath. The sale of vast amounts of minted tokens drained liquidity pools for many projects, further afflicting them. Moreover, this incident came after an earlier attack conducted on 2nd July 2021, in which the protocol lost around $800K. <\/p>\n\n\n\n

Multichain <\/strong><\/h4>\n\n\n\n

Multichain, formerly known as Anyswap, is one of the most notable names in the cross-chain space, with a TVL of over $1.7 billion<\/a>. On 17th January 2022, the Multi-chain team declared that security firm Debaub discovered a critical vulnerability in the network and immediately asked users to revoke permissions for $wETH, $PERI, $OMT, $wBNB, $MATIC, and $AVAX on the protocol’s bridging router since they were on the verge of drained by hackers, but unfortunately, the exploit was already underway.<\/p>\n\n\n\n

The attack resulted from a single function in the protocol’s contract named anySwapOutUnderlyingWithPermit<\/em>. Multi-chain router allows users to swap between any two chains freely through an internal mechanism that wraps the actual token with its “anyToken”. For example, to conduct a transfer of $ETH from Ethereum mainnet to BSC, the protocol first wraps $ETH to create $anyETH. $ETH will serve as the underlying asset for the wrapped token, which Multichain also uses for internal accounting. During the transfer, wrapped tokens will be added to the Multi-chain anyETH BSC contract and burned on the anyETH Ethereum contract. The compromised function was created to facilitate this mechanism. Under a standard transaction, the function would have taken a wrapped anyToken address as input and unwrapped it to receive the address for the underlying asset, but in a particular exploit, when the contract deployed by the attacker was unwrapped, an address to a $wETH contract was obtained instead. Thus user’s $wETH authorized to Multichain’s contract were directly transferred to the attacker’s malicious contract token address. Furthermore, it was revealed that the function was never used before the attack and could have been deleted long before.<\/p>\n\n\n\n

Security firm PeckShield reported that more than 450 $wETH<\/a>, then worth around $1.3 million, were affected. In total, hackers made away with $3 million<\/a> as Multichain<\/a> and some individual victims<\/a> began offering bounties to the attackers to recover whatever they could.<\/p>\n\n\n\n

Qubit<\/strong><\/h4>\n\n\n\n

Qubit is a DeFi platform that primarily provides money market services to connect lenders and borrowers efficiently, along with peripheral bridging services. In another attack on an Ethereum and BSC network bridge,  an attacker targeted the platform’s X-bridge protocol on 27th January 2022 to drain the Bridge of crypto assets valued at over $80 million<\/a> around the incident. <\/p>\n\n\n\n

The attacker exploited the deposit<\/em> function in Qubit’s bridge contract to dupe the protocol into thinking that $ETH had been deposited into the contract. Qubit offers a feature called X-collateral that enables users to collateralize their assets on other chains without moving assets. For example, users could deposit 1 $ETH in Qubit’s contract through the deposit<\/em> function on the Ethereum mainnet to get 1 $xETH which will be minted on BSC. The newly minted token could now interact with the BSC ecosystem or could be used to borrow other tokens. The attacker called the deposit<\/em> function with meticulously constructed input data to exploit particular vulnerabilities within the function code. The deposit<\/em> function logic further invokes the QBridgeHandler <\/em>contract, which conducts the data verification. The hacker provided a null address which is considered a whitelisted and an externally owned address (EOA), along with a sufficiently large ETH amount as inputs to successfully circumvent three statements within the QBridgeHandler<\/em> contract meant to ensure the correctness of the inputs<\/a>. One of the root causes of the exploit was the fact that a vital function within the deposit<\/em> code, safeTransferFrom<\/em>, failed to revert when a null address was provided. <\/p>\n\n\n\n

This enabled the hacker to mint 77,162 $xETH, then worth over $185 million, without actually depositing any $ETH. These tokens were used to borrow 15,688 $wETH ($37.6 million), 767 $BTC-B ($28.5 million), approximately $9.5 million in various stablecoins, and roughly $5 million in $CAKE, $BUNNY, and $MDX before swapping everything for 206,809 BNB coins<\/a>. All valuations mentioned here were recorded as of the date the attack occurred. <\/p>\n\n\n\n

Wormhole<\/strong><\/h4>\n\n\n\n

Wormhole is among the most significant communication protocols connecting Solana to the rest of the ecosystem, but unfortunately, that is not how many remember its name. In one of the largest hacks the industry has ever experienced, on 2nd February 2022, exploiting Portal, the token Bridge built on the Wormhole protocol, the attacker made away with assets valued at around $325 million<\/a> at the time of the incident. <\/p>\n\n\n\n

Before the hack, a typical transfer between Ethereum and Solana through the Wormhole bridge went through the following process:<\/p>\n\n\n\n