According to a cybersecurity investigation by Merkle Science, because of their technological complexity and highly experimental nature, cross-network bridges are especially susceptible to exploits: Bridges across chains are frequently more vulnerable to vulnerabilities than other protocols since they need additional contacts and contract approvals. Additionally, because bridges are operated by unverified computer programs, they are more vulnerable to assaults. Additionally, the identities of the validators and nodes that carry out the transactions are also unknown. In 2022, bridges were the main targets of assaults, and hackers also made use of other DeFi techniques.
Wormhole, a bridge created to enable smooth value transfer between different blockchains, was targeted by hackers on February 3, 2022. They were able to create 120,000 Wrapped Ethers (wETH) on the Solana (SOL) blockchain without putting up the necessary Ethereum (ETH) collateral because to a flaw in the code. From Chainanalysis Any DeFi platform willing to take 120,000 wETH (created out of thin air) as collateral might become insolvent as a result of the breach. Fortunately, the worst-case situation did not occur. Wormhole’s parent business, Jump Crypto, accepted all losses and replaced the protocol liquidity pools with 120,000 Ethers right once.
The Ronin network was hacked on March 23 by Lazarus, a notorious state-sponsored hacking organization from North Korea. An Ethereum-like sidechain called Ronin was created especially for the main GameFi, Axie Infinity. Ronin was robbed by attackers of a staggering $568 million. Five out of the nine validator signatures for Ronin Bridge were taken over by hackers. Following that, they approved two transactions totaling 173,600 ETH and 25.5 million USD Coin (USDC). Over $445 million of this enormous windfall was laundered via the Tornado Cash cryptocurrency mixer. Sky Mavis, the creator of Axie Infinity, acquired additional funds, requested a second CertiK security audit, and upped the multisig barrier from 5/9 to 8/9.
Nomad, a multi-chain bridge that connects the blockchains of Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Moonbeam (GLMR), and other networks, lost $190.7 million in cryptocurrency in August 2022. Attackers were able to take advantage of a flaw in the smart contract architecture: the protocol enabled users to withdraw money from the target blockchain without verifying that it matched the amount that was initially distributed. Simply said, users were allowed to deposit 1 ETH on Ethereum (ETH) and request a withdrawal from Avalanche for 100 ETH following the usual update (AVAX). The point is, before the fix was deployed, any tech-savvy Web3 enthusiast could duplicate this attack vector and steal money from Nomad. As a result, a large number of Ethereum (ETH) engineers withdrew money just to pay it back to the Nomad team: close to $40 million was handed back.
A sophisticated flash loan attack was launched against the Ethereum-based stablecoin project Beanstalk (BEAN) on April 16, 2022. Specifically, bad actors were able to obtain a flash loan on Aave Finance (AAVE) and purchase the appropriate number of governance tokens to take over the protocol’s on-chain referendums. A money transfer to their personal account was then approved by the assailants’ supermajority of votes. They quickly paid back the flash loan when $180 million was deposited; the net profit was greater than $80 million.
One of the biggest market-making platforms, Wintermute, had its bank accounts emptied for $160 million in September 2022. Attackers revealed that Profanity, a maker of “vanity addresses” for the Ethereum (ETH) network, was used to build some of Wintermute’s important wallets. These programs are capable of producing crypto wallets with human-readable addresses, such as 0xJohnDoe1111… and similar ones. Attackers were able to brute-force the vanity addresses and obtain private keys because to a flaw in Profanity’s design. The attack was made feasible by the criminals’ extensive use of computing power.