The Next Bridge Hack

The past and future of cross chain value transfer.

Bridges are both critical infrastructure and uniquely vulnerable to attack. Because bridges occupy the liminal space between blockchains, they need to have a system for determining truth that controls the release of assets on both chains. Compromising any piece of this pipeline allows for an attacker to trigger the release of funds.

Not building bridges is not an option. There will always be demand to move value between ecosystems. Where there is demand, supply will emerge. Many of the early bridges were simply trusted third parties¹. A trader would fund a wallet on one chain and the counterparty would remit funds on the target chain. Furthermore uptime, speed, and price are all characteristics that impact the competitiveness of bridges, leading to the teams that gain traction often being teams that have cut corners for performance. These dynamics have lead to bridge hacks becoming one of the most consistent and costly problems in crypto. Here is an (incomplete) list of bridge hacks to date. Please don’t try to expand it 😉.

1. THORChain ($7.6mm): July 2021 - Flash loan attack​​.

2. ChainSwap ($8mm): July 2021 - Affected at least ten projects​​.

3. Poly Network ($600mm): August 2021 - Impacted Binance, Ethereum, and Polygon networks​​.

4. Wormhole ($325mm): February 2, 2022 - Between Ethereum and Solana, $325 million in wrapped ETH stolen​​​​.

5. Meter.io DeFi ($4.2mm): February 5, 2022 - Lost $4.4 million in assets​​.

6. Ronin Bridge ($600mm): March 23, 2022 - Ethereum-based sidechain for Axie Infinity, $600 million in ETH and USDC stolen​​​​.

7. Harmony Bridge ($100mm): June 23, 2022 - Private keys compromised, $100 million stolen​​​​.

8. Nomad Bridge ($190mm): August 2, 2022 - Trusted root exploit, over $190 million in WETH and USDC stolen​​​​.

9. Binance Bridge ($570mm): October 6, 2022 - Proof verifier bug exploited, $570 million in BNB tokens drained​​.

10. Mixin Network ($200mm): September 23, 2023 - The database of Mixin Network's cloud service provider was attacked by hackers, resulting in the loss of $200M

11. Multichain ($130mm): July 6, 2023. Multichain, formerly Anyswap, shut down after unauthorized withdrawals the disappearance of the CEO.

12. HTX/Heco ($86.6mm): November 22, 2023. The exploit's root cause was identified as a compromised operator account.

13. Orbit ($81.5 million): December 31, 2023. Details are still emerging regarding this hack.

Over 2.8bn has been lost to bridge hacks. This represents about 32% of all funds lost to exploits to date in crypto². This is 400mm more than the total amount invested by venture firms in the space in Q2 of 2023 (2.32bn according to Galaxy Digital Research).

Based on the provided data, the total value lost in cryptocurrency bridge hacks for each year is as follows:

• 2021:

  • THORChain: $7.6mm

  • ChainSwap: $8mm

  • Poly Network: $600mm

  • Total for 2021: $615.6mm

• 2022:

  • Wormhole: $325mm

  • Meter.io DeFi: $4.2mm

  • Ronin Bridge: $600mm

  • Harmony Bridge: $100mm

  • Nomad Bridge: $190mm

  • Binance Bridge: $570mm

  • Total for 2022: $1,789.2mm

• 2023:

  • Mixin Network: $200mm

  • Multichain: $130mm

  • HTX/Heco: $86.6mm

  • Orbit: $81.5mm

  • Total for 2023: $498.1mm

TVL: an Asset or Liability?

Total Value Locked is a metric popularized in DeFi 1.0. It represents the net amount of funds deposited into a smart contract. In the context of early AMMs, it closely approximates how effectively any system could handle large trades. Uniswap V3’s concentrated liquidity moved the space past standardized pricing curves, undermining the correlation between TVL and performance. Systems like DyDX and UniswapX simply do not have TVL.

In aerospace, much of the focus is minimizing odds of catastrophic failure rather than preventing issues³. While in almost every bridge hack the core issue was either with the oracle or the authorization scheme, the magnitude of the losses was a direct consequence of the liquidity system employed. For bridges TVL (Total Value Locked) is a liability, not an asset. In the context of modern bridges, what TVL really measures is total value at risk. While the moving away from pool based models will not impact the frequency of hacks, it can massively lower the cost.

The Next Bridge Hack

It’s worth noting that 2023 is considered a bear market, meaning fewer bridges and L1/L2s were launched and less money was deposited into them. We expect at least $250mm will be lost in bridge hacks in 2024.

• Bridge TVL and hack losses will remain closely correlated.

• Monolithic systems tend to be more vulnerable than modular ones. Teams that roll their own cross chain messaging services/oracles are more vulnerable than teams that rely on broadly accepted solutions (Layer0, Chainlink).

• Cross virtual machine bridging (i.e. SVM to EVM or Cosmos to EVM) has more potential attack surface area.

As a user, what does this mean for me?

The good news is that almost all of these hacks only impacted people who had deposited funds into the bridge. Almost all pool designs rely on third parties (known as LPs) depositing funds into the pool typically in exchange for yield. Most users of most of hacked bridges lost no money. Unless you happened to use it during the hack, losing money was next to impossible. As long as a bridge has done 100mm in volume, has a bug bounty, and has passed an audit you are unlikely to lose funds by simply using it.

The bad news is that, heuristically, it’s likely not wise to be an LP in a bridge. Bridges have been a net negative proposition so far for LPs as the liquidation value of the rewards paid out falls comically short of the amount of funds lost. Farmers seem to consistently and comically underprice the risk associated with leaving assets in a smart contract controlled by an off chain oracle.

As a project, what steps can we take to protect our users?

Hourglass is predicated on the belief that some architectures are more secure than others. Pools are dangerous. That being said, there are general security practices that all protocols should follow.

• Get audited🧐📝: Different groups have different opinions on different auditors. We like Zellic.

• Testing🧪🤖: Testing should focus on:

  • Edge cases: Every possible weird scenario should be tested extensively.

  • Fuzzing: Firing random inputs into the program and observing its output is an easy way to identify unexpected behavior.

• Offer Bug Bounties🐞💰: Offering rewards for bugs is an easy way to use competition to identify exploits before they’re worth exploiting. Only the first person to find the bug gets paid. We opted to go with Immunefi and appreciate their team’s no nonsense approach.

• Be Intentional 💭🙇: Things like contract upgradability introduce attack vectors to protocols. There will always be a balance between centralization and asset recoverability that all developers have to navigate and thinking through these things takes time. Every adjustment has the potential of creating issues elsewhere.

At the end of the day bridges will always be dependent on third party technology. It is unrealistic to expect that there will be a point in time where there will be no bridge hacks. Our focus should be on mitigation, rather than prevention. Eliminating our reliance on pools has the potential to drastically reduce the amount of value at risk.If you’re interested in learning more about the future of cross-chain liquidity orchestration, follow Hourglass on twitter or join our telegram.

1

In a sense exchanges (Binance) and asset issuers (Circle) still are.

2

$8.74 billion has been lost to hacks in crypto according to Rekt.

3

This is the reason that commercial aircraft have multiple jets. The FAA actually requires that modern planes be able to continue flying even after losing an engine.