By Ronghui Gu, co-founder of CertiK
In the space of just nine days, the DeFi world was rocked by exploits of three cross-chain
bridges that collectively drained more than $400 million from the platforms. The 120,000 ETH siphoned from Wormhole’s Ethereum-Solana bridge on February 2nd represents the second largest DeFi hack ever, coming in at just over half of the total stolen from Poly Network – another cross-chain platform – in August 2021.
What do these bridge exploits tell us about the current state of DeFi, and the direction in which the industry is headed?
Let’s take a quick look at each of the three exploits to see what lessons they might hold.
Qubit Finance’s bridge linking Ethereum and Binance Smart Chain was the first to be exploited this year, resulting in a loss of $80 million. The attacker bypassed Qubit’s token verification process, allowing them to fraudulently receive proof of non-existent tokens from the bridge. They were able to do so as a result of a logical error in Qubit Finance’s code that allowed them to input malicious data that let them withdraw tokens on Binance Smart Chain when none were deposited on Ethereum.
Similar to the Qubit attacker, whoever took down Wormhole’s bridge did so by bypassing the
contracts’ verification stage. The attack came just hours after the Wormhole team pushed a
major code update to their Github repository. It included a change from load_current_index to load_current_index_checked, which is necessary to ensure that a third party couldn’t substitute their own signature verification function. This is exactly what the attacker took advantage of, suggesting they were either watching the Github repository for possible attack vectors, or they were already aware of the possibility of this specific exploit and decided to go through with it before it was patched.
Wormhole’s bridge allows users to convert their Ethereum-native ETH to Solana-compatible wETH (Wormhole Ether). The bridge held a 1:1 ratio of ETH to wETH, acting essentially as an escrow service. Its popularity meant that it had become the dominant bridge between Solana and Ethereum, and as such was responsible for a large proportion of all wrapped Ether on the Solana blockchain. This posed a major risk to the integrity of the Solana ecosystem. The situation was remedied when Jump Trading stepped in to restore the backing of wETH at no small expense.
The hack of Meter.io’s bridge was by far the smallest of the trio, at “just” $4.2 million. Meter’s
bridge contracts provide two deposit methods: deposit() and depositETH(). Despite their
different names, these two functions emit the same event. The attacker took advantage of the fact that deposit() does not burn or lock WETH/WBNB, meaning they were able to create fake deposit events on Ethereum and Binance Smart Chain by calling the deposit() function. This resulted in a deposit event without the lock-up of any real tokens. The bridge recognized these deposits as legitimate and minted 1,400 ETH and 2 WBTC across three chains: Ethereum, BSC, and Moonriver.
Bridges to Nowhere?
These bridge exploits highlight two facts about the current state of DeFi. First, bridges are
critical pieces of infrastructure that are in high demand. That a single bridge held a third of a
billion dollars of value is testament to the appetite users have for trading, investing, and
exploring across different blockchain ecosystems.
The second fact these exploits highlight is that current bridging technology is vulnerable to attack. Bridges are complex: they operate across two or more chains and need to convert native assets from one ecosystem to another. This introduces many more attack vectors than a simple DEX on a single blockchain, for example. While there has been a lot of talk about the inevitability of a cross-chain world, not everybody is quite so optimistic. Vitalik Buterin cited “the fundamental security limits of bridges” in his argument for the existence of “multiple zones of sovereignty” – a blockchain world composed of many different but not particularly interoperable ecosystems.
Whether or not Vitalik’s prediction comes true, it is clear that existing bridge technology is not up to standard. There are only so many times trading firms will backstop $300 million of liquidity in order to keep a blockchain alive. While a multi- but not cross-chain world may seem to be the most likely scenario at the moment, it is up to all the builders who envision a truly interoperable blockchain ecosystem to focus on the security that can make that vision a reality. A truly cross-chain ecosystem gives users the best of all worlds. A lack of interoperability will hamstring the development and expansion of blockchain technology, but we have a way to go before the security of the necessary infrastructure catches up to demand.