Cross-chain bridges security incident review: Over $1.9 billion in funds affected, most have been recovered or compensated.

In recent years, with the vigorous development of the blockchain ecosystem, cross-chain bridges have become an important infrastructure connecting different public chains. However, due to their complexity and the scale of funds involved, cross-chain bridges have also become popular targets for hacker attacks. This article will review the top ten cross-chain bridge security incidents that have occurred recently, involving a total amount of over $1.9 billion, of which approximately $1.55 billion has been recovered or compensated.

ChainSwap: Two Attacks Result in Losses of Approximately $8.8 Million

In July 2021, ChainSwap suffered two attacks in just 9 days. The first loss was about $800,000, and the second loss was about $8 million, affecting over 20 projects. The cause of the incident was that the protocol did not strictly verify the validity of signatures. To compensate users, ChainSwap and several affected projects conducted snapshots and reissued tokens.

Poly Network: $610 million stolen fully recovered

On August 10, 2021, Poly Network experienced a major security incident, losing approximately $610 million in assets across Ethereum, Binance Smart Chain, and Polygon. The attacker exploited a vulnerability in contract permission management to modify the validator address on the target chain. Ultimately, the attacker returned all the funds, and Poly Network referred to them as a "white hat" hacker and invited them to serve as a security advisor.

Multichain: $6 Million Vulnerability Loss Nearly Compensated

In January 2022, Multichain discovered a significant vulnerability affecting six types of tokens, with approximately $6.04 million in assets impacted. The reason was the failure to properly verify the legitimacy of the tokens sent in by users. The team recovered nearly 50% of the stolen funds and compensated users who promptly revoked their authorizations.

QBridge: $80 million loss, only 2% compensation

On January 28, 2022, Qubit's cross-chain bridge QBridge was attacked, resulting in a loss of approximately $80 million. The attacker exploited a contract vulnerability to mint a large amount of xETH without depositing any tokens. Currently, Qubit's usage rate is extremely low, and 98% of the stolen funds have not yet been compensated.

Meter.io: $4.4 Million Loss, Promises to Compensate with Future Earnings

On February 6, 2022, the Meter Passport cross-chain bridges were attacked, resulting in a loss of $4.4 million. The reason was the presence of a "faulty trust assumption" in the code. Meter decided to issue a new token, PASS, to compensate users and promised to repurchase using future profits, but has not yet begun to implement this.

Ronin: $620 million stolen, fully compensated

In March 2022, the Ronin chain of Axie Infinity suffered a social engineering attack, resulting in a loss of approximately $620 million. The attackers infiltrated the system by faking job opportunities and took control of multiple validator nodes. Although the stolen funds could not be recovered, the developer Sky Mavis raised $150 million through financing to compensate users.

Wormhole: $326 million vulnerability, investors fully compensated

On February 3, 2022, Wormhole was attacked due to a signature verification error in the Solana contract, resulting in a loss of approximately $326 million. The investor Jump Crypto quickly replenished 120,000 ETH, allowing Wormhole to resume normal operations.

EvoDeFi: Estimated losses in the tens of millions of dollars, unresolved

In June 2022, USDT on a certain ecological DEX suffered a severe depeg due to insufficient liquidity on the source chain of the EvoDeFi cross-chain bridges. The exact amount of loss is unknown, but it is estimated to be in the tens of millions of dollars. The parties involved have not provided any solutions, and users are unable to recover their losses.

Horizon: Nearly $100 million stolen, compensation plan still being formulated

On June 24, 2022, Harmony's Horizon cross-chain bridge was attacked, resulting in a loss of approximately $100 million. This may have been due to a private key leak. The project team proposed to compensate in installments by issuing additional tokens, but this was not supported by the community. They are currently working on a new compensation plan.

Nomad: $190 million security incident, some funds may be recovered

On August 2, 2022, Nomad lost $190 million in funds due to an error in a contract upgrade. Some white hat hackers have expressed their willingness to return the funds, but the specific compensation plan has not yet been determined.

Summary

The frequent security incidents of cross-chain bridges remind us to remain highly vigilant. Even leading projects may have security risks. Relatively speaking, projects with strong backgrounds and substantial financial strength are more capable of recovering assets or providing compensation after a security incident. Additionally, real-time monitoring and rapid response from the team are crucial for preventing attacks. Users should carefully assess risks and choose reliable projects when using cross-chain bridges.