Entries related to bridge attacks

July 2, 2023

Poly Network exploited again

The name Poly Network may ring a bell, because in August 2021 they were exploited for an (at the time) record-setting $611 million.

Now, it's happened again, and some reports are throwing around even more massive numbers like $42 billion. In reality, the exploiters were able to mint massive quantities of tokens on multiple networks, with their wallet balances showing numbers in the billions. However, complete lack of liquidity for these tokens meant their "billions" are worth substantially less.

According to crypto research firm Beosin, the attackers have so far cashed out around 5,196 ETH (~$10.1 million) in liquid assets. Poly Network suspended services shortly after the attack.

April 1, 2023

Allbridge cross-chain bridge exploited for around $574,000

(attribution)

The Allbridge cross-chain bridge project was exploited for around 283,000 BUSD and 291,000 USDT (~$574,000). The thief was able to manipulate a vulnerability in the project's smart contract that allowed them to manipulate the price of assets in the Allbridge liquidity pool.

Allbridge announced that they were investigating the theft, and were working with law enforcement. Meanwhile, the project suspended operations and announced that they were preparing a user compensation plan.

January 24, 2023

FBI pins the Harmony Bridge hack on North Korea

(attribution)

A June 2022 hack saw cryptocurrency notionally worth $100 million stolen from Harmony's Horizon Bridge. At the time, blockchain research firm Ellipsis concluded that there were "strong indications" that the hack had been perpetrated by the North Korea state-sponsored Lazarus hacking group. Lazarus has been responsible for several major crypto hacks before this one, including the massive Axie Infinity hack in March 2022.

Now, the FBI has accused two groups of North Korean hackers — Lazarus and APT38 — of perpetrating the Harmony hack. The groups then used Tornado Cash and RAILGUN to launder the funds.

"FBI accuses North Korean government hackers of stealing $100M in Harmony bridge theft", TechCrunch

October 18, 2022

Vulnerability in BitBTC bridge ends in an exploit where the clock is ticking

(attribution)

A security researcher published a frustrated Twitter thread reporting that "BitBTC's Optimism bridge is trivially vulnerable. Their team has ignored my messages, so I'm going to publish the critical exploit here." They described an issue where it was possible for people to create tokens on the Optimism side of the bridge that could be tied to any token on the other side of the bridge — meaning an exploiter could create a valueless token and bridge it to an unrelated token with actual value.

Less than a day after publishing the thread, someone did exactly what the researcher described, and was able to cause the bridge to mint and transfer 200 billion BitBTC. BitBTC aims to be valued at 1/1,000,000 of a BTC, meaning the exploiter on paper just landed themselves 200,000 BTC, but this is another case where massive amounts of a token were created and could never be traded for anywhere near their ostensible "value". BitBTC doesn't have publicly available data on the backing of their tokens, but it's certainly nowhere near 200,000 BTC. The project appears to be very new, and was created by a self-described "19 year old Bitcoin believer".

BitBTC has seven days from the time of the hack to fix the issue in their bridge before the transfer is complete and the attacker is awarded the tokens. Meanwhile, the hacker left an Ethereum transaction note to say that "I'm not a hacker, just want to test the exploit with a [proof of concept], won't touch any of the valuable assets."

October 11, 2022

QANX Bridge suffers $1.16 million loss caused by the Profanity vanity address vulnerability

(attribution)

On September 15, a blockchain security firm disclosed a vulnerability affecting Profanity, a tool that allowed people to generate "vanity" crypto wallet addresses: addresses containing specified strings of characters. This affected some individuals with vanity addresses, but has also enabled subsequent attacks on projects that used vanity addresses, such as the Wintermute exploit on September 20.

On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.

The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.

The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.

This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).

"QANX Bridge wallet disclosure analysis [continuously updated]", QAN Platform
"Hacker drains $2 million from QANplatform bridge, token slumps 94%", The Block

October 6, 2022

Binance Smart Chain halts after $570 million bridge exploit

(attribution)

Binance Smart Chain, the relatively popular blockchain that Binance is trying to rebrand as "BNB Chain", was halted when an attacker exploited "BSC Token Hub", the bridge between the old Binance Beacon Chain and BSC. The attacker successfully moved around $127 million of the stolen crypto assets off the chain before it was paused. The attacker's wallet contained 2 million BNB, valued at $586 million based on the price at the time of the hack, but as a result of the chain halt, they were not able to exfiltrate the entire amount.

Binance CEO Changpeng Zhao ("CZ") tweeted that "An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC." A BSC developer later confirmed that "we coordinated with validators to temporarily suspend BSC after having determined an exploit on a cross-chain bridge, BSC Token Hub- which resulted in extra BNB". The value of the $BNB token dropped from $293.10 to $280.40 after the news.

The chain operators and CZ seemed to feel a little awkward about the ramifications of unilaterally deciding to halt a supposedly decentralized blockchain. CZ claimed he was asleep and that the chain had already been halted by the time he woke up. The BSC team published a blog post saying that "Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading. It was not that easy as BNB Smart Chain has 26 active validators at present and 44 in total in different time zones. This delayed closure, but we were able to minimize the loss." They also promised to try to decentralize the project even further going forward.

August 17, 2022

Celer Network's cBridge suffers BGP hijacking attack, users lose combined $240,000

(attribution)

The Celer Network's cBridge project was targeted with a BGP hijacking attack. Users who tried to access the bridge's frontend were instead shown a site that prompted them to authorize transactions that drained their wallets. The attacker was able to steal around 128 ETH (~$240,000) before the exploit was discovered and Celer took the frontend offline. The stolen funds were quickly transfered to the Tornado Cash cryptocurrency tumbler.

Tweet by CelerNetwork
Etherscan for attacker wallet
"Truth Behind the Celer Network cBridge cross-chain bridge incident: BGP hijacking", SlowMist

June 23, 2022

Cryptocurrencies notionally worth $100 million stolen from Horizon Bridge

(attribution)

The Horizon Bridge is a blockchain bridge allowing assets to be used across Ethereum, BNB, and Harmony blockchains. The bridge is run by the Harmony blockchain project.

On June 23, someone was able to steal assets from the bridge that they then converted to more than 85,800 ETH. The stolen funds are notionally valued at almost $100 million, assuming the thief can cash them out successfully. Hours after the attack, most of the funds remained in the thief's wallet and had not yet been laundered.

A June 29 analysis by blockchain research firm Ellipsis claimed that "there are strong indications that North Korea's Lazarus Group may be responsible for this theft". Lazarus was also behind the $625 million bridge hack in March, targeting the Axie Infinity game.

May 18, 2022

"Quantum-resistant" blockchain QAN suffers bridge attack

(attribution)

The $QANX token for the QAN project suddenly plummeted in value as an attacker stole more than 4 million QANX from the project. The attacker subsequently swapped the tokens for around 370 ETH ($707,000). In a video posted to Twitter, the project CEO stated that it was "definitely a bridge issue", and that they'd shut down the project's bridge. They also said they had contacted exchanges to freeze the wallets that had been involved in the "issue".

QAN describes itself as a blockchain that helps "resist quantum attacks", though apparently not the types of bridge attacks that have become fairly common in the past year or so.

Tweet by QANplatform

April 7, 2022

Blockchain bridge for the WonderHero play-to-earn game is exploited

(attribution)

WonderHero is a mobile play-to-earn turn-based strategy game. Attackers were able to mint 80 million $WND after successfully exploiting the bridge linking the WonderHero play-to-earn sidechain and the BNB chain. The attacker was able to swap their stolen $WND for 750 BNB ($325,000), tanking the price of $WND to near zero in the process.