Cross-chain bridges attack incidents review: nearly $2 billion in losses, over $1.5 billion compensated or recovered

In the blockchain ecosystem, there are numerous public chains, but due to the lack of mainstream assets, most need to acquire assets through cross-chain bridges from mainstream public chains like Ethereum. Recently, security incidents in the DeFi sector have been frequent, and cross-chain bridges have become the primary target for attackers due to their large capital flows. This article reviews 10 significant cross-chain bridge attack incidents that occurred in the past, reminding development teams to remain vigilant about security risks. It is worth noting that cross-chain bridge projects with strong backgrounds and financial strength are often more capable of recovering assets or compensating users after encountering security incidents, so users choosing stronger cross-chain bridges will be more secure.

ChainSwap: $8 million loss, compensated through token reissuance

In July 2021, ChainSwap suffered two hacker attacks. The first resulted in a loss of about $800,000, while the second caused a loss of approximately $8 million. The second attack had a wider impact, affecting over 20 projects that used ChainSwap for cross-chain transactions.

Investigations show that the cause of the incident was the lack of strict validation of signature validity in the protocol, which allowed attackers to use self-generated signatures to sign transactions. As the losses mainly affected governance tokens of various projects, including ChainSwap, multiple projects decided to take snapshots and issue new tokens to compensate token holders and liquidity providers.

Poly Network: All $610 million recovered

On August 10, 2021, the cross-chain interoperability protocol Poly Network was hacked, resulting in losses of $250 million, $270 million, and $85 million in assets on Ethereum, Binance Smart Chain, and Polygon respectively, totaling approximately $610 million.

The attack primarily exploited a vulnerability in the permission management logic of the Poly Network contract. The attacker constructed an operation on the source chain that modified the validator on the target chain to their own address; the official relayer submitted and executed this operation without any precautions; the attacker then signed the outgoing assets using the replaced validator address; the transaction was validated and executed, and the assets were transferred to the hacker's address.

The attacker was well-prepared in advance, with the initial funds sourced from the privacy coin XMR, which were exchanged for BNB, ETH, and MATIC at exchanges that do not require KYC before withdrawing. However, in the end, the hacker returned all the funds, and Poly Network referred to them as a "white hat" hacker, inviting them to serve as the company's Chief Security Advisor.

Multichain: $6 million loss, compensation has been paid

On January 18, 2022, Multichain discovered a significant vulnerability affecting six tokens: WETH, PERI, OMT, WBNB, MATIC, and AVAX. Although the vulnerability has been fixed, users still need to revoke authorizations as soon as possible to avoid asset risks. A month later, Multichain released an investigation report showing that a total of 7,962 user addresses were affected, of which 4,861 have revoked authorization and 3,101 have not. A total of 1,889.6612 WETH and 833.4191 AVAX were stolen, valued at approximately $6.04 million based on the price on January 18.

The security team analyzed and believes that the reason for the theft was due to an issue with Multichain when checking the legitimacy of the tokens sent by users. It did not take into account that not all underlying tokens implemented the permit function, which led to the WETH previously authorized to the AnyswapV4Router contract being transferred to a malicious address constructed by the attacker.

When releasing the investigation report, 912.7984 WETH and 125 AVAX have been recovered, accounting for nearly 50% of the stolen funds. The team proposed to return the recovered funds to users who have revoked contract authorizations, but will no longer compensate for losses incurred after February 18 at 24:00.

QBridge: $80 million loss, only 2% compensation

On January 28, 2022, the cross-chain bridges QBridge of the lending protocol Qubit was attacked, resulting in a loss of approximately $80 million.

The cause of the incident was that QBridge did not recheck whether it was a zero address when transferring whitelisted tokens. In the case where ERC20 tokens and ETH deposits are implemented separately, the deposit function used for depositing ERC20 tokens was exploited by hackers, setting the ERC20 token address to a zero address and minting a large amount of xETH tokens on BSC without depositing any tokens. The hackers then used these xETH as collateral to borrow other tokens from Qubit, leading to the depletion of Qubit's collateral.

Currently, Qubit is almost unused, and the official website shows that 98% of the stolen funds have not yet been compensated.

Meter.io: 4.4 million USD loss, compensated with future earnings

On February 6, 2022, the Meter Passport cross-chain bridges were maliciously exploited, resulting in a loss of 4.4 million dollars.

Meter officials stated that the problem lies in the "faulty trust assumption" in the Meter extension source code, which allowed hackers to "invoke the underlying ERC20 deposit function" to forge BNB and ETH transfers.

Meter initially indicated that it would compensate users for their losses in BNB and WETH with MTRG tokens. However, after a governance vote, it was decided that new PASS tokens would be issued to compensate users, and that Meter's future earnings would be used to buy back PASS tokens, although no buybacks have taken place yet.

Ronin: $620 million loss, compensation has been paid

On the evening of March 29, 2022, funds from the Ronin chain behind Axie Infinity were stolen. The attack occurred on March 23, but it was not discovered until March 29, resulting in a loss of approximately $620 million.

The investigation shows that the Ronin hack originated from a social engineering attack. An employee from a fake company contacted employees of Axie Infinity and Ronin developer Sky Mavis through LinkedIn, encouraging them to apply for jobs. After several rounds of interviews, a Sky Mavis employee received an "Offer". After downloading a forged "Offer" acceptance letter, the hackers infiltrated the Ronin system, taking over 4 out of 9 validators. Subsequently, the hackers controlled the Axie DAO through Sky Mavis, which had previously allowed Sky Mavis to sign transactions on its behalf. Once the attackers accessed Sky Mavis, they could obtain signatures from the Axie DAO validators.

The stolen funds from Ronin have not been recovered. On April 4th, Sky Mavis announced the completion of a $150 million financing led by Binance to compensate users for their losses. On June 29th, Sky Mavis relaunched the Ronin bridge, allowing users to receive compensation. However, the stolen funds mainly consisted of ETH(173600 ETH and 25.5 million USDC). During the period from the attack to the compensation, the price of ETH dropped by about 2/3.

Wormhole: $326 million loss, compensation has been paid

On February 3, 2022, the cross-chain interoperability protocol Wormhole was attacked by hackers, resulting in a loss of approximately 120,000 ETH, worth about $326 million.

Hackers massively minted whETH on the Solana end of Wormhole and withdrew all ETH from Ethereum. On February 5, Wormhole reported that the vulnerability originated from an error in the signature verification code of the Wormhole core contract on the Solana end, allowing attackers to forge "guardian" messages to mint whETH.

On February 4th, Jump Crypto(, which previously acquired the Wormhole development company Certus One), announced an investment of 120,000 ETH into Wormhole to compensate for the stolen losses, after which Wormhole resumed operations.

EvoDeFi: Expected loss of tens of millions of dollars, unresolved

On June 7, 2022, USDT severely depegged on the Oasis ecosystem DEX ValleySwap. ValleySwap was once the largest DEX on the Oasis chain, with a peak TVL of $220 million. Due to the high liquidity mining rewards for the USDC-USDT trading pair, some users mined in ValleySwap using these two stablecoins. Data shows that funds began to flow out of ValleySwap in large amounts starting June 4, with the TVL on June 7 being $88.78 million. The exact amount of losses is unknown, but it is estimated to be in the tens of millions of dollars.

The reason for ValleySwap's asset de-pegging is the insufficient liquidity on the source chain of the cross-chain bridge EVODeFi. EVODeFi claims it is due to FUD panic, but this reason is clearly untenable. Oasis officials responded that they had warned about the risks associated with EVODeFi, stating that Oasis is not related to ValleySwap and EvoDeFi, and that EvoDeFi is high-risk, unaudited, non-open source, and centralized. This incident may have been caused by EVODeFi stealing user assets through a backdoor.

Users have not yet found a solution for their losses, Oasis is eager to distance itself, and ValleySwap and EVODeFi's official Twitter accounts have stopped updating since June 8, effectively having run away.

Horizon: Nearly $100 million loss, compensation plan being formulated

On June 24, 2022, Harmony's official cross-chain bridge Horizon was attacked, resulting in a loss of approximately $100 million.

On June 26, Harmony founder Stephen Tse acknowledged that the attack could have been caused by a "private key leak." Funds were stolen on the Ethereum and BNB chains, including BUSD, USDC, ETH, WBTC, and more. Previously, only 2 out of 5 signatures were required to transfer funds between Ethereum and Horizon, but the required number of signatures was changed to 4 out of 5 afterwards.

Harmony once hoped to compensate users for part of their losses of ( within 3 years by issuing more ONE tokens, but did not reach an agreement with the community. After the community initiated the compensation proposal on July 27, Stephen Tse expressed understanding of the community's concerns and will revise the compensation plan.

Nomad: $190 million loss, in process

On August 2, 2022, Nomad's liquidity was quickly exhausted, with a total liquidity of $190 million before the security incident. The incident also caused Layer 2 interoperability protocol Connext to lose approximately $3.34 million, as Connext held about $3.34 million in madAssets on the affected chain at the time.

Researchers believe that the incident was caused by a contract upgrade of Nomad that initialized the trusted root to 0x00, allowing anyone to replace the counterpart's address with their own address using valid transactions, and then broadcast the transaction to withdraw funds from the cross-chain bridges.

Analysis shows that the attack involved 1,251 ETH addresses, with an amount of approximately 190 million USD, of which 12 ENS addresses accounted for about 38% of the total. The project team has not provided a specific compensation plan, and some white hat hackers have expressed willingness to return the funds.

Summary

Frequent security incidents with cross-chain bridges are worth noting. Multichain, Portal), and Wormhole(, which rank in the top three for liquidity, have all experienced security incidents, indicating that cross-chain bridges are high-risk areas, and any cross-chain bridge may encounter security issues again.

Relatively speaking, cross-chain bridges with a strong development team background and financial strength are more likely to recover assets or make compensations after security incidents, such as Poly Network, Ronin Network, and Wormhole, which were able to retrieve or fully compensate for the huge amounts of funds stolen.

Real-time monitoring and proactive handling by the team are crucial. Hop Protocol and StarGate quickly addressed reports of suspicious activity, effectively preventing a hacker attack.