Recent bridge exploits: what happened? 

Amongst a series of bridge exploits over the last week alone, another aggressive hack occurred on the QANX Bridge. If you’re curious to understand what happened and why Orion Bridge cannot suffer the same fate, read on. We will continue to update this post with updates and future exploits as they occur.

QANX Bridge
Exploit date: October 11th, 2022
Loss to date: TBD (potentially over $1m worth)

The QANX Bridge is based on an interoperability protocol, enabling users to transfer their BEP-20 and ERC-20 QANX tokens between ETH and BNB Chain networks. This is reportedly the second hack to have taken place on QAN's bridge within a year, as "definitely a bridge issue" (CEO of QAN) led to ~325 ETH being stolen earlier in 2022.

On this occasion, today (October 11th, 2022), the offline bridge contract was hacked as the attacker managed to withdraw tokens (amount yet to be disclosed. Early reports are $1m+). A snapshot before the hack and an airdrop of tokens is planned by the QAN team.

The QAN team has taken action to limit the damage caused by the exploit by moving to pause trading, deposits and withdrawals on CEXs. Liquidity from Uniswap and PancakeSwap has also been withdrawn to "mitigate the losses of users and further draining of the liquidity pool."

Users can avoid these common bridge exploits by using the most secure bridge in market: Orion Bridge.

BSC Token Hub
Exploit date: October 6th, 2022
Value affected: ~$100 million

According to Binance leader, CZ, BSC Token Hub is the bridge between BNB Beacon Chain (BEP2) and BNB Chain (BEP20 or BSC).

The BNB Chain team explained in their Reddit communication that all validators temporarily suspended BNB Smart Chain (BSC) as a result of the exploit which culminated in extra BNB. Around $100m - $110m has so far been estimated as being taken off BSC, with $7m already frozen.

Leading security firm CertiK covered the incident via their CertiK Alert profile and highlighted some of the other Bridge hacks in 2022.

Users can avoid these common bridge exploits by using the most secure bridge in market: Orion Bridge.


Nomad Bridge

Exploit date: August 1st, 2022
Loss to date: ~$190 million

Nomad Bridge is a cross-chain bridge which enables users to transfer tokens and data between chains. DAOs are able to facilitate the execution of cross-chain governance proposals and developers can also build native cross-chain applications with Nomad.

Nomad Bridge was reportedly exploited to the tune of around $190 million at the current market value, as the hacker exploited a recent update to one of Nomad's smart contracts where the team had likely initialized the trusted root to 0x00. In this case, it could have led to auto-proving every message.

From this point, it allowed messages to be spoofed on Nomad with the wrapped tokens now having no backing. The hacker was then able to rapidly drain the bridge of its assets, once again leaving the crypto industry in complete disarray after yet another possible costly bridge exploit. As of August 2nd, 2022, Nomad has since given an update saying they are aware of the incident and are investigating the issue.

Users can avoid these common bridge exploits by using the most secure bridge in market: Orion Bridge.

Ronin Bridge
Exploit date: March 23rd, 2022
Loss to date: ~$546 million

Ronin Bridge lets users transfer their assets between the Ronin chain and the Ethereum main net. Ronin is based on sidechains, specifically built for the Axie Infinity blockchain game.

Ronin Bridge was exploited to the tune of around $546 million (173,600 Ethereum and 25.5 USDC) at the current market value, as the hacker drained the bridge in two fraudulent transactions.

The attacker gained control of Sky Mavis’ Ronin Validators (four of them) as well as a third-party validator run by Axie DAO, as five out of nine validators are needed to process a Deposit or Withdrawal event. The malicious intruder used backdoor entry via a gas-free RPC node to gain the signature for the Axie DAO validator - the fifth and final validator needed for the exploit.

While this is another huge bridge exploit at ~$546m, the rest of the industry fails to learn from its mistakes by using similar bridges. Ronin have since updated everyone that security updates taking several weeks are in place along with a public funding round to try and reimburse users affected.

Users can avoid these common bridge exploits by using the most secure bridge in market: Orion Bridge.

Qubit
Exploit date: January 28th, 2022
Loss to date: $80 million

Qubit Finance is a lending protocol optimized to deliver lending as a utility for Binance Smart Chain. X-Collateral is the cross-chain feature within QBridge that enables users to collateralize their assets on other networks without moving assets from one chain to another.

QBridge was hacked to create a huge amount of qXETH (an asset representing eth bridged via Qubit) collateral that was subsequently used to drain the entire quantity of BNB stored on Q Bridge. The attacker utilized a deposit option in the QBridge contract to illegally mint ‘unlimited’ 77,162 qXETH to borrow on BSC. Addresses connected to the attack show 206,809 BNB were drained from Qubit’s QBridge protocol - worth over $80 million at current prices.

Users can avoid these common bridge exploits by using the most secure bridge in market: Orion Bridge.

 

Multichain (Anyswap)
Exploit date: January 18th, 2022 (still affecting users a week later)
Loss to date: $3.8 million

Multichain, formerly Anyswap, is a cross-chain router protocol that lets people swap tokens between various blockchains. Last week it found a critical vulnerability that affected six token contracts on the Multichain Router.

To enable cross-chain swapping, the router wraps a token with its “anyToken”. For example, DAI is wrapped as anyDAI. The wrapped token is used for Multichain internal accounting, and when a user “transfers” DAI from Ethereum to BSC, anyDAI is added to the Multichain anyDAI BSC contract, and burned on anyDAI Ethereum contract. 

Furthermore, Multichain relies on 33 nodes to validate, sign and propagate cross-chain transactions, among which part of the private key is shared. This reliance on a layer validators means Multichain is not truly decentralized, or secure - opening up further vulnerabilities to 51% attacks and other exploits.  Multichain have not yet commented on how it will be returning funds to users.

Users can avoid these common bridge exploits by using the most secure bridge in market: Orion Bridge.

 

Orion Bridge

Orion Bridge is the first peer-to-peer atomic swap bridge: enabling users to trade native assets across different blockchains without limits, delays, refused orders, blocked funds, or exploits.

Atomic swaps are automatic exchange contracts that allow two parties to immediately exchange two assets on different blockchains, without wrapped assets. On Orion Bridge, there's no wrapping or minting of assets - ever. Instead, peer-to-peer atomic swap bridge enables immediate swapping of one L1 asset for another L1 asset. Users don’t lose ownership of their funds until they receive the corresponding asset on their chosen network.

Peer-to-peer technology enables true decentralization: the direct exchange of an asset between individual parties without the involvement of a central authority. Unlike other bridges dependent on centralized entities and validators and thus prone to 51% attacks and other vulnerabilities, Orion Bridge users atomic swap assets with only one counterparty - one of our growing network of brokers.

Hacks and exploits of any kind are are incredibly unfortunate for users. Other bridges may currently offer more chains and assets, but ultimately leave their users vulnerable to loss and exploitation. What we are building, both with Orion Bridge and beyond, lays the foundation for truly decentralized cross-chain trading, without compromising assets.

As Orion Bridge grows to include more assets and chains, and as other bridges sadly continue to succumb to exploitation, we plan to become the leading cross-chain bridge in market: eventually enabling users to trade any asset across any chain without limits, delays, refused orders, blocked funds, or exploits. We hope to see other bridges and protocols put user protection first and follow suit.

Learn more:

Orion Bridge Deep Dive

Bridge comparisons

Use Orion Bridge

 

 

Stay updated with Orion.