Skip to timeline

Web3 is Going Just Great

...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.

Created by Molly White. Subscribe to her newsletter for weekly recaps.

$12 million taken by whitehats from Ronin bridge

The Ronin bridge, which bridges crypto assets to the Ronin Network used by Axie Infinity and other gaming projects, has once again suffered a breach — though a considerably smaller one than the recordbreaking $625 million theft in March 2022. An update to the bridge code introduced a flaw with respect to how transactions were confirmed.

Fortunately for the Ronin team, it seems that most of the losses actually went to whitehats and MEV bots that were frontrunning transactions by would-be exploiters. ETH and USDC priced at around $12 million were taken — the maximum amount before triggering a safety feature in the code. Later that day, Ronin announced that the ETH (worth around $10 million) had been returned, and that the USDC was in the process of being returned. They also announced that they would reward the whitehats with a $500,000 bug bounty reward.

The Ronin bridge was taken offline shortly after the flaw was detected, and the team announced it would undergo an audit before being brought back online.

Theme tags: Bug, Hack or scam
Blockchain tags: Blockchain: Ethereum
Tech tags: blockchain gaming

Socket service and its Bungee bridge suffer $3.3 million theft

The Socket cross-chain infrastructure protocol was hacked for around $3.3 million in an attack that exploited its Bungee bridge. The thieves were able to exploit a bug that allowed them to take assets from those who had granted approval to a portion of the system called SocketGateway.

A little over 700 victims were affected, and the highest loss from a single wallet was around $657,000. 121 wallets lost assets priced at more than $10,000.

On January 23, the protocol announced they had recovered 1,032 ETH (~$2.23 million) of the stolen funds.

Theme tags: Hack or scam

Orbit Bridge hacked for $81 million

The Orbit Bridge project, a cross-chain bridge for the Orbit Chain project, was exploited on December 31 for around $81 million. The attacker made off with around 26,742 ETH (~$64 million) and $18 million in the DAI stablecoin. Orbit Chain's total value locked plummeted from $152 million to $71 million as over half the funds were drained.

Orbit began sending the attacker on-chain messages, writing that "we will track you down and restore the damage you incurred to the ecosystem. And we will not stop." Orbit also wrote on Twitter that they were working with various law enforcement agencies.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum
Tech tags: DeFi

Aurory bridge hacked for over $1 million

The Aurory gaming platform uses a bridge called SyncSpace to move assets between the blockchain and the game's off-chain network. On December 17, the bridge was targeted on Arbitrum's Camelot DEX, and an attacker successfully siphoned around 600,000 $AURY tokens from the liquidity pool. As a result, the pool went from around $1.5 million in liquidity to around $312,000, and the price of the $AURY token dropped 11% as the attacker sold it off in bulk.

The Aurory team posted on Twitter to acknowledge the hack, writing that they'd disabled SyncSpace as they investigated. They also wrote that SyncSpace had been audited months ago, but that the audit had failed to detect the vulnerability.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum, Solana
Tech tags: blockchain gaming

HTX (fka Huobi) and Heco Chain hacked for $115 million

Justin Sun confirmed that HTX (formerly Huobi) and its related Heco Chain protocol were hacked for a combined $115 million. It's been a rough few weeks for Sun, whose Poloniex exchange was hacked for around $120 million on November 10, and a rough few months for HTX, which was hacked for $8 million in late September.

HTX suspended withdrawals as they investigated the hack, and wrote that the company would "fully compensate for HTX's hot wallet losses". Security firm Cyvers said they believed the theft was enabled by a private key leak.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum

Poly Network exploited again

The name Poly Network may ring a bell, because in August 2021 they were exploited for an (at the time) record-setting $611 million.

Now, it's happened again, and some reports are throwing around even more massive numbers like $42 billion. In reality, the exploiters were able to mint massive quantities of tokens on multiple networks, with their wallet balances showing numbers in the billions. However, complete lack of liquidity for these tokens meant their "billions" are worth substantially less.

According to crypto research firm Beosin, the attackers have so far cashed out around 5,196 ETH (~$10.1 million) in liquid assets. Poly Network suspended services shortly after the attack.

Theme tags: Hack or scam
Tech tags: DeFi

Allbridge cross-chain bridge exploited for around $574,000

The Allbridge cross-chain bridge project was exploited for around 283,000 BUSD and 291,000 USDT (~$574,000). The thief was able to manipulate a vulnerability in the project's smart contract that allowed them to manipulate the price of assets in the Allbridge liquidity pool.

Allbridge announced that they were investigating the theft, and were working with law enforcement. Meanwhile, the project suspended operations and announced that they were preparing a user compensation plan.

Theme tags: Bug, Hack or scam
Blockchain tags: Blockchain: BNB Chain

FBI pins the Harmony Bridge hack on North Korea

A June 2022 hack saw cryptocurrency notionally worth $100 million stolen from Harmony's Horizon Bridge. At the time, blockchain research firm Ellipsis concluded that there were "strong indications" that the hack had been perpetrated by the North Korea state-sponsored Lazarus hacking group. Lazarus has been responsible for several major crypto hacks before this one, including the massive Axie Infinity hack in March 2022.

Now, the FBI has accused two groups of North Korean hackers — Lazarus and APT38 — of perpetrating the Harmony hack. The groups then used Tornado Cash and RAILGUN to launder the funds.

Theme tags: Law
Blockchain tags: Blockchain: BNB Chain, Ethereum

Vulnerability in BitBTC bridge ends in an exploit where the clock is ticking

A security researcher published a frustrated Twitter thread reporting that "BitBTC's Optimism bridge is trivially vulnerable. Their team has ignored my messages, so I'm going to publish the critical exploit here." They described an issue where it was possible for people to create tokens on the Optimism side of the bridge that could be tied to any token on the other side of the bridge — meaning an exploiter could create a valueless token and bridge it to an unrelated token with actual value.

Less than a day after publishing the thread, someone did exactly what the researcher described, and was able to cause the bridge to mint and transfer 200 billion BitBTC. BitBTC aims to be valued at 1/1,000,000 of a BTC, meaning the exploiter on paper just landed themselves 200,000 BTC, but this is another case where massive amounts of a token were created and could never be traded for anywhere near their ostensible "value". BitBTC doesn't have publicly available data on the backing of their tokens, but it's certainly nowhere near 200,000 BTC. The project appears to be very new, and was created by a self-described "19 year old Bitcoin believer".

BitBTC has seven days from the time of the hack to fix the issue in their bridge before the transfer is complete and the attacker is awarded the tokens. Meanwhile, the hacker left an Ethereum transaction note to say that "I'm not a hacker, just want to test the exploit with a [proof of concept], won't touch any of the valuable assets."

Theme tags: Bug, Hack or scam
Blockchain tags: Blockchain: Bitcoin, Ethereum
Tech tags: DeFi

QANX Bridge suffers $1.16 million loss caused by the Profanity vanity address vulnerability

On September 15, a blockchain security firm disclosed a vulnerability affecting Profanity, a tool that allowed people to generate "vanity" crypto wallet addresses: addresses containing specified strings of characters. This affected some individuals with vanity addresses, but has also enabled subsequent attacks on projects that used vanity addresses, such as the Wintermute exploit on September 20.

On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.

The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.

The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.

This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).

Theme tags: Hack or scam
Blockchain tags: Blockchain: BNB Chain, Ethereum

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.