The biggest bridge hacks of 2022
INTRODUCTION
The crypto/blockchain industry is notorious for hacks and scams. 2022 was no different. As of July 2022, $1.9 billion was stolen, according to Chainalysis’ “Mid-year Crypto Crime Update.”
This year, a new avenue was responsible for most of the value stolen: cross-chain bridges. The number is staggering. Out of the total, at least $1.4 billion is due to various kinds of bridge exploits.
This is what we, as an industry, are up against. We are building a still-maturing technology with little room for error. Our collective focus should be heavily weighted towards creating solutions in which security is paramount. The famous Silicon Valley adage "Move fast and break things" should be reconsidered. With blockchain going mainstream, we frequently deal with people's livelihoods.
This is the mindset that sparked our partner Project TXA's architecture of security-first: how to allow settlement between blockchains without having to guard millions of dollars in value of users' assets, while still being fully decentralized, open-source and offering a top-notch user experience.
In this article, we are going to go over some of the various bridge hacks of the year, let's begin.
RONIN BRIDGE
HOW IT HAPPENED
On March 23, 2022, a hacker gained access to 5 validator nodes of the Ronin Bridge. Out of the 5, 4 were controlled by Sky Mavis and 1 by Axie DAO. On November 2021, Axie DAO temporarily allowed Sky Mavis to sign transactions on its behalf, and while it should have been revoked by the end of the year, it wasn't. There were 9 validators in total, and only 5 were needed to authorize withdrawals. The hacker then was able to transfer 173,600 ETH and 23.5 million USDC out of the bridge.
WHAT HAPPENED AFTER
Sky Mavis raised $150 million in a round led by Binance. The gaming company stated that the funds from the round, plus Sky Mavis and Axie Infinity funds will be used to reimburse all users that lost money with the security breach.
Their round announcement read, "The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the funds are not fully recovered within two years, the Axie DAO will vote on next steps for the treasury. We believe that Axie will go down in history as the first game to imbue players with true digital property rights and recent events have only strengthened this conviction."
On June 28th the bridge was successfully reopened with all users' funds returned.
WORMHOLE BRIDGE
HOW IT HAPPENED
On February 3, 2022, Wormhole bridge, a cross-chain bridge on Solana was hacked for 120,000 ETH.
The attack was possible because Wormhole had a flaw in the validation of the so-called "guardian" accounts that allowed the attacker to make the contract believe that 120,000 ETH was deposited in it. That way, the contract minted 120,000 whETH out of thin air. The attacker then swapped 93,750 ETH back into the Ethereum Network, while the remaining 36k whETH were liquidated on Solana into USDC and SOL.
WHAT HAPPENED AFTER
The team behind Wormhole sent an on-chain message to the attacker's wallet. They offered a white-hat agreement of $10 million as a bug bounty prize and the rest to be returned to the team. The attacker, however, did not respond.
The team announced that they would work to return all ETH back into the bridge: "The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1."
Less than 24 hours after the hack the Wormhole team was successfully able to replenish all missing funds thanks to Jump Trading Group stepping in to help the bridge reopen.
NOMAD BRIDGE
HOW IT HAPPENED
On August 2, 2022 the Nomad bridge was exploited for all of its liquidity. At the time, $190 million in value was quickly drained. The main difference between this attack and others was that everyone could repeat the steps done by the original exploiter, and dozens of people piled in, many claiming they were doing it to return the funds to the bridge and help the community.
After an upgrade in June 2022, the contract had the 0x00 address set as a trusted root, meaning that every message from said address was read as valid by the contract.
More than 40 addresses exploited the contract, one of whom raking in $42 million.
WHAT HAPPENED AFTER
The Nomad team asked for the funds to be returned and offered 10% of the money returned as a prize. They also stated that no legal action would be taken against the ones that returned funds because they would be considered white-hat hackers.
As of October this year, they were able to recover about $32 million which sits on the recovery fund, and are preparing to restart their bridge in early October 2022.
HARMONY BRIDGE
HOW IT HAPPENED
On June 24, 2022, Harmony Bridge was attacked for $100 million. The bridge was secured by a set of 5 wallets, of which 2 were needed to sign transactions. Like the Ronin bridge hack, the attacker gained access through unknown means for 2 of the 5 wallets and was then able to start transferring funds. He sent 13.1k ETH and 5.5m BUSD from the BUSD bridge, while also draining several other assets from the ERC20 bridge.
The attacker also transferred funds from the BSC bridge: 5k BNB and 640k BUSD.
WHAT HAPPENED AFTER
On June 25th, the Harmony team announced a $1 million bounty for the return of all funds. However, the attacker started the process of mixing the stolen goods in Tornado Cash. Following that, on June 29th, that amount was upped to $10 million, while also offering $10 million to information leading to the return of the funds.
The team stated that they are working with the community to make sure funds are returned to the 50k wallets affected by the hack. Unfortunately, the hacker did not contact the protocol or made any moves regarding returning the stolen goods.
Since the hack, the number of signers was updated from 2 to 4.
After a proposal to mint the chain's native token ONE to cover the funds stolen was badly received by the community, Harmony's team stated that they plan on using the treasury to repay the funds and continue building for years to come "starting Q4 2022".
QUBIT BRIDGE
HOW IT HAPPENED
On January 28, 2022, the Qubit Bridge was hacked for, at the time, $80 million.
Qubit's product allowed for cross-chain collateralization, users could lock ETH, for example, and be able to borrow assets on Binance smart chain. Due to faulty code, the user was able to mint 77,162 qXETH, a token representing Ether on the Qubit bridge. The attacker was then able to borrow against the newly minted collateral, and borrowed WETH, BTC-B, USD stablecoins, CAKE, BUNNY, and MDX before swapping everything for a total of 200k BNB, valued at $80 million at the time.
WHAT HAPPENED AFTER
The team announced a bounty for the attacker with the limit of $250k, but stated that they were open to negotiating that amount if the attacker was interested in trying to find a solution together. The hacker did not respond.
During the coming months, the team announced plans to return the money and created a compensation mechanism to help affected wallets. The hacker did not return the funds, and eventually Qubit announced a scaling back of the team, due to a lack of operating funds.
As of October 4, only $1.74 million was returned, and $90 million is still needed to cover the hack. Their last Twitter post was on March 17.
.png)