Frequent Security Incidents of Cross-Chain Bridges: A Review of the Top Ten Attack Cases and Their Impact

In recent years, cross-chain bridges in the blockchain ecosystem have become popular targets for hacker attacks. These bridges play a crucial role in transferring assets between different blockchain networks, but at the same time, they have also become a focal point for security vulnerabilities. This article will explore ten major cross-chain bridge attack incidents, summarizing the lessons learned and their impacts.

1. ChainSwap: Two Attacks Resulted in Huge Losses

In July 2021, ChainSwap experienced two hacker attacks, resulting in a total loss of approximately $8.8 million. The second attack had a wide-ranging impact, affecting over 20 projects that used ChainSwap services. Investigations revealed that the attackers exploited a vulnerability in the protocol's signature verification process. To compensate for the losses, ChainSwap and the affected projects chose to take snapshots and reissue tokens.

2. Poly Network: One of the largest attacks in history

In August 2021, Poly Network suffered an astonishing attack, resulting in losses of up to $610 million. The attacker successfully exploited a vulnerability in the contract permission management to transfer a large amount of assets across multiple blockchains. Although the situation was severe at first, the attacker eventually returned all the funds, and Poly Network even invited them to serve as a security advisor.

3. Multichain: Vulnerabilities Affect Multiple Tokens

In January 2022, Multichain discovered a significant vulnerability affecting multiple tokens. Despite issuing a timely warning, approximately $6 million in assets were stolen. The issue arose from the contract's failure to properly verify the legitimacy of certain tokens. The Multichain team worked to recover some of the funds and proposed a compensation plan.

4. QBridge: Contract vulnerabilities lead to huge losses

At the end of January 2022, the lending platform Qubit’s QBridge was attacked, resulting in a loss of approximately $80 million. The attacker exploited a vulnerability in the contract when handling zero addresses, successfully minting a large number of unbacked tokens. This incident severely impacted Qubit's operations, and most of the stolen funds have not yet been recovered.

5. Meter.io: Misconfiguration Leads to Attack

In February 2022, the Meter Passport cross-chain bridges suffered an attack due to a configuration error, resulting in a loss of $4.4 million. The attackers successfully forged token transfer operations. The Meter team proposed a plan to compensate users with a new token, PASS, and promised to use future platform revenue to buy back these tokens.

6. Ronin: Major Losses Caused by Social Engineering Attacks

In March 2022, the Ronin chain of the game Axie Infinity suffered a well-planned attack, resulting in a loss of up to $620 million. The attackers gained key access through social engineering techniques. Although the stolen funds could not be recovered, the development team raised compensation funds through financing.

7. Wormhole: Core Contract Vulnerability Exploited

In February 2022, Wormhole was attacked, resulting in a loss of approximately $326 million. The attacker exploited a vulnerability in the Solana end signature verification. Fortunately, the investor Jump Crypto quickly covered the loss, allowing Wormhole to resume operations.

8. EvoDeFi: Suspected Insider Trading

In June 2022, issues with EvoDeFi led to a severe asset decoupling in ValleySwap within the Oasis ecosystem, resulting in estimated losses of over ten million dollars. Although the exact cause remains unclear, there are indications that internal personnel may have stolen user assets through backdoors. Unfortunately, the losses for users have yet to be resolved.

9. Horizon: Private Key Leakage Leads to Catastrophe

In June 2022, Harmony's Horizon bridge was attacked, resulting in a loss of nearly $100 million. Investigations indicate that the attack likely stemmed from a private key leak. The Harmony team is working with the community to develop a compensation plan.

10. Nomad: Upgrade Error Leads to Significant Losses

In August 2022, Nomad suffered a loss of approximately $190 million due to a configuration error during a contract upgrade. This simple initialization error allowed anyone to withdraw funds from the bridge. Currently, some white hat hackers have expressed a willingness to return the funds.

Conclusion

These cases clearly indicate that cross-chain bridges face severe security challenges. Even the most well-known projects are not immune to difficulties. However, we also see that projects with strong backing are often better able to cope with crises, either through fund recovery or compensation to protect user interests. This reminds us that when choosing cross-chain bridges, we should not only consider their technical strength but also assess their ability to respond to crises. At the same time, these events highlight the importance of real-time monitoring and rapid response, with the successful defenses of Hop Protocol and StarGate serving as excellent examples.