Timothea Horwell | January 28 2022
Timothea Horwell | January 28 2022
Recent bridge exploits: what happened?
Amongst a series of bridge exploits recently, another massive hack occurred with Ronin Bridge. If you’re curious to understand what happened and why Orion Bridge cannot suffer the same fate, read on. We will continue to update this post with updates and future exploits as they occur.
Exploit date: March 23rd
Loss to date: ~$546 million
Ronin Bridge lets users transfer their assets between the Ronin chain and the Ethereum main net. Ronin is based on sidechains, specifically built for the Axie Infinity blockchain game.
Ronin Bridge was exploited to the tune of around $546 million (173,600 Ethereum and 25.5 USDC) at the current market value, as the hacker drained the bridge in two fraudulent transactions.
The attacker gained control of Sky Mavis’ Ronin Validators (four of them) as well as a third-party validator run by Axie DAO, as five out of nine validators are needed to process a Deposit or Withdrawal event. The malicious intruder used backdoor entry via a gas-free RPC node to gain the signature for the Axie DAO validator - the fifth and final validator needed for the exploit.
While this is another huge bridge exploit at ~$546m, the rest of the industry fails to learn from its mistakes by using similar bridges. Ronin have since updated everyone that security updates taking several weeks are in place along with a public funding round to try and reimburse users affected.
Users can avoid these common bridge exploits by using the most secure bridge in market: Orion Bridge.
Exploit date: January 28th
Loss to date: $80 million
Qubit Finance is a lending protocol optimized to deliver lending as a utility for Binance Smart Chain. X-Collateral is the cross-chain feature within QBridge that enables users to collateralize their assets on other networks without moving assets from one chain to another.
QBridge was hacked to create a huge amount of qXETH (an asset representing eth bridged via Qubit) collateral that was subsequently used to drain the entire quantity of BNB stored on Q Bridge. The attacker utilized a deposit option in the QBridge contract to illegally mint ‘unlimited’ 77,162 qXETH to borrow on BSC. Addresses connected to the attack show 206,809 BNB were drained from Qubit’s QBridge protocol - worth over $80 million at current prices.
Exploit date: January 18th (still affecting users a week later)
Loss to date: $3.8 million
Multichain, formerly Anyswap, is a cross-chain router protocol that lets people swap tokens between various blockchains. Last week it found a critical vulnerability that affected six token contracts on the Multichain Router.
To enable cross-chain swapping, the router wraps a token with its “anyToken”. For example, DAI is wrapped as anyDAI. The wrapped token is used for Multichain internal accounting, and when a user “transfers” DAI from Ethereum to BSC, anyDAI is added to the Multichain anyDAI BSC contract, and burned on anyDAI Ethereum contract.
Furthermore, Multichain relies on 33 nodes to validate, sign and propagate cross-chain transactions, among which part of the private key is shared. This reliance on a layer validators means Multichain is not truly decentralized, or secure - opening up further vulnerabilities to 51% attacks and other exploits. Multichain have not yet commented on how it will be returning funds to users.
Live: January 31st
Orion Bridge is the first peer-to-peer atomic swap bridge: enabling users to trade native assets across different blockchains without limits, delays, refused orders, blocked funds, or exploits.
Atomic swaps are automatic exchange contracts that allow two parties to immediately exchange two assets on different blockchains, without wrapped assets. On Orion Bridge, there's no wrapping or minting of assets - ever. Instead, peer-to-peer atomic swap bridge enables immediate swapping of one L1 asset for another L1 asset. Users don’t lose ownership of their funds until they receive the corresponding asset on their chosen network.
Peer-to-peer technology enables true decentralization: the direct exchange of an asset between individual parties without the involvement of a central authority. Unlike other bridges dependent on centralized entities and validators and thus prone to 51% attacks and other vulnerabilities, Orion Bridge users atomic swap assets with only one counterparty - one of our growing network of brokers.
Hacks and exploits of any kind are are incredibly unfortunate for users. Other bridges may currently offer more chains and assets, but ultimately leave their users vulnerable to loss and exploitation. What we are building, both with Orion Bridge and beyond, lays the foundation for truly decentralized cross-chain trading, without compromising assets.
As Orion Bridge grows to include more assets and chains, and as other bridges sadly continue to succumb to exploitation, we plan to become the leading cross-chain bridge in market: eventually enabling users to trade any asset across any chain without limits, delays, refused orders, blocked funds, or exploits. We hope to see other bridges and protocols put user protection first and follow suit.