So, in this way, the user is trusting the bridging process not just at the swapping moment, but also for as long as they are using a wrapped asset in the future.
In summary, all of the security risks of an asset multiply exponentially for their bridged (wrapped) counterparts.
Concerned about Tether Limited not redeeming one USDT for $1? Bridge that same USDT to a blockchain not supported by Tether Limited and your risks have multiplied by custodian(s), smart contracts, liquidity, price parity, and most of all, whether the bridge will not burn down before you need to traverse back to safety.
In a way, cross-blockchain bridges are like wormholes: they transport material across space, but they form and annihilate spontaneously.
In fact, Wormhole is the name of the world’s most well-capitalized bridge, linking the blockchains of Ethereum and Solana.
We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
Read more:Cross-blockchain bridges keep breaking as crypto startup Nomad hacked for $190M
ChainSwap exploit on July 10, 2022
ChainSwap lost 20 million WILD tokens in an exploit on July 10, 2022. Wilder World uses WILD as its native token. A pseudonymous Twitter user and Wilder World “citizen” noticed the ChainSwap exploit on July 10, 2022. The exploit also affected Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank, and Unifarm tokens.
ChainSwap froze its Ethereum-Binance Smart Chain bridge while it investigated.
Prior to this incident, ChainSwap suffered another exploit in which it lost $800,000 in tokens on July 2.
Platform stolen qubit finance hacker tool
This is the largest heist of cryptocurrencies in 2022 so far. Qubit Finance admitted to the heist in a tweet. The team is working with network partners on next steps. When available, we will share more updates, said the tweet.
According to PeckShield, the assets were valued over $80 million at current rates.
Qubit Finance took to Twitter last night to beg hackers to return more than $80 million in stolen cryptocurrency this week.
On Thursday, the DeFi platform said their protocol was exploited by a hacker who eventually stole 206,809 binance coins from Qubit’s QBridge protocol, worth more than $80 million according to PeckShield. An hour after the first message, the company explained that they were tracking the exploiter and monitoring the stolen cryptocurrency.
They noted that they contacted the hacker and offered them the maximum bug bounty in exchange for a return of the funds, something a number of other hacked DeFi platforms have tried to middling success.
They shared multiple messages on Twitter that they purportedly sent to the hacker offering a bug bounty of $250,000 and begging for a return of the stolen funds.
CertiK, a blockchain auditing and security company, suggests the hacker was able to exploit a security flaw in Qubit’s smart contract code that let them send in a deposit of 0 ETH and withdraw almost $80 million in Binance Coin in return.
“As we move from an Ethereum-dominant world to a truly multi-chain world, bridges will only become more important,” CertiK analysts wrote. “People need to move funds from one blockchain to another, but they need to do so in ways that are not susceptible to hackers who can steal more than [$80 million].”
A statement posted by the Qubit Finance team on Twitter directly appealed to the hacker, asking them to negotiate with the team in order to minimize losses for the Qubit community.
Qubit’s incident report also stated that the team was attempting to offer the hacker the maximum reward possible under their bug bounty program.
However, this introduces the first layer of trust to the bridging process: trust in data oracles. The next layer of trust is custodians.
Typically, bridging occurs by depositing one asset with a custodian and receiving a “wrapped” version of that asset from the custodian on the second blockchain. The user must trust the custodian to both safekeep the original asset and release the wrapped asset.
Sometimes, this custodian can take the form of a DAO or smart contract.
In any case — whether a DAO or a corporate entity like BitGo (the custodian of the world’s largest wrapped asset, wrapped bitcoin) — bridging introduces several layers of trust.
Continuing, the next layer of trust is convertibility and price parity. Put simply, it’s not enough to have received a bridge asset.
The exploit involved gaining access to validator nodes’ private keys. The Ronin bridge’s developers halted deposits and withdrawals until investigators had a chance to determine what happened.
Developers built the Axie Infinity game Ethereum’s Ronin sidechain to save on fees. Unfortunately, they compromised on security.
You cannot make this up
Hacker steals $600MM in ETH from Ronin blockchain the one underlying Axie
Hacker then goes short Ronin & AXS (Axie token) knowing as soon as news breaks that tokens will plummet
But NO ONE notices and they get liquidated on short before news breaks
— Eric Golden 🍌🦇🔊 (@ericgoldenx) March 29, 2022
WonderHero exploit on April 7, 2022
WonderHero discovered an exploit of its bridge on April 7, 2022, when the value of its native WND token unexpectedly plummeted by 50%.
The security firm stated that the QBridge was hacked to get xETH collateral, which was then used to drain the entire amount of Binance Coin held on QBridge.
Qubit Finance uses smart contracts rather than third parties to provide customers with financial services, such as trading, lending, and borrowing. Users can borrow money against those holdings on the Qubit protocol. QBridge is a cross-chain functionality that allows users to store their assets on other networks without having to move their assets between chains.
According to an incident analysis by security firm CertiK, the attacker used a deposit option in the QBridge contract to fraudulently generate 77,162 qXETH, which is an asset representing Ether bridged via Qubit.
The procedure was tricked into believing that attackers had made a deposit when they hadn’t.
On January 7, 2022, Ethereum co-founder Vitalik Buterin warned about the security of cross-blockchain bridges. He presciently argued that bridging assets across blockchains would never enjoy the same guarantees as staying within one blockchain. He was right.
The safe convertibility of assets between blockchains is not guaranteed. To be precise, no one can actually “send” nor “bridge” an asset to another blockchain. Instead, assets are deposited, locked, or burned on one chain; then credited, unlocked, or minted on the second chain.
Worse, blockchains cannot access off-chain information. No blockchain can natively verify that any multi-blockchain asset is “bridged.” At best, third-party oracles attest to the truthfulness of off-chain information and interpret that data for on-chain use.
Breaches and lapses exist here and there but, Qubit being hacked and having Binance coins to the tune of hundreds being stolen was outrageous. This is almost the equivalent of eighty million US dollars. PeckShield, which is a blockchain security firm confirmed the hack.
CertiK, a security firm, explains that a logical error was exploited, allowing the hackers to input malicious data enabling them to withdraw tokens of Binance Smart Chain when none were deposited in Ethereum.
Qubit said that it was trying to assess the affected assets and, at the same time, track the exploiters. They could not establish their attacker, although they managed to send a message to them offering a reward if they could safely return the stolen funds. Qubit Has a bug bounty program that they pointed out to settle the reward if the hackers accepted.
It lost $300,000 in WND tokens in the attack.
WonderHero paused its website, game, bridge, deposits, and withdrawals while investigating. It restarted the game, marketplace, and yield system. Since then, WonderHero posted an analysis confirming that its Binance bridge had been compromised.
Harmony One’s Horizon Bridge exploit on June 23, 2022
Harmony One’s Horizon Bridge lost $100 million in an exploit on June 23, 2022.
Its team said it was working with law enforcement authorities and forensics experts to investigate the exploit. The address used to receive the stolen funds received a “Horizon Bridge Exploiter” label on Etherscan. The Horizon Bridge Exploiter currently holds just over $93,000 in tokens.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx.
Qubit offered to negotiate with the attacker to regain the funds.
Wormhole exploit on February 2, 2022
Attackers fraudulently minted 120,000 wrapped ETH on Solana’s blockchain using the Wormhole bridge on February 2, 2022. They created a spoofed signature account to validate their transactions.
A Paradigm researcher reverse-engineered the attack and determined that Wormhole had failed to implement a more robust validation protocol for its guardian signatures.
tl;dr – Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.
— samczsun (@samczsun) February 3, 2022
Meter.io’s Meter Passport exploit on February 5, 2022
Meter.io’s Meter Passport bridge lost $4.4 million in an exploit on February 5, 2022.