Review of Cross-Chain Bridge Security Incidents: Top 10 Attacks Involving Over $1.9 Billion in Funds

Cross-chain bridges, as a key infrastructure connecting different blockchain networks, have frequently suffered attacks in recent years, resulting in substantial financial losses. This article reviews ten major security incidents involving cross-chain bridges, totaling over $1.9 billion in funds, of which approximately $1.55 billion has been recovered or compensated. These cases highlight the security challenges faced by cross-chain bridges and provide valuable lessons for the industry.

ChainSwap: Approximately $8 million lost due to two attacks

In July 2021, ChainSwap suffered two attacks within just 9 days. The first resulted in a loss of approximately $800,000, while the second expanded the loss to $8 million, affecting more than 20 projects that used ChainSwap for cross-chain transactions.

The reason for the attack lies in the protocol's failure to strictly verify the validity of signatures, allowing attackers to complete transactions using self-generated signatures. Since the affected tokens are mainly governance tokens, multiple projects have chosen to take snapshots and reissue tokens to compensate holders.

Poly Network: $610 million in funds stolen fully recovered

In August 2021, the cross-chain protocol Poly Network suffered a major attack, losing approximately $610 million in assets across Ethereum, Binance Smart Chain, and Polygon.

The attack exploited a vulnerability in the contract's permission management, allowing the attacker to successfully modify the validator address on the target chain. Despite thorough initial preparations, the hacker ultimately chose to return all the funds, and Poly Network referred to them as a "white hat" hacker.

Multichain: $6 million vulnerability loss has been compensated

In January 2022, Multichain discovered a significant vulnerability affecting multiple tokens. Approximately 7962 user addresses were impacted, resulting in a loss of $6.04 million.

The vulnerability stems from the failure to properly check the validity of user input tokens. The official has recovered nearly 50% of the stolen funds and has proposed a compensation plan, but it is limited to users who revoked their authorization in a timely manner.

QBridge: $80 million loss compensated only 2%

At the end of January 2022, the cross-chain bridge QBridge of the lending platform Qubit was attacked, resulting in a loss of approximately $80 million.

The attacker exploited a vulnerability in QBridge while processing whitelist token transfers, successfully minting a large number of xETH tokens on BSC and emptying Qubit’s collateral. Currently, Qubit’s usage rate is sluggish, with 98% of the stolen funds yet to be compensated.

Meter.io: 4.4 million USD loss compensated with future earnings

In February 2022, the Meter Passport cross-chain bridge was attacked, resulting in a loss of 4.4 million dollars.

The issue lies in the "faulty trust assumption" of the underlying code, which allows attackers to forge BNB and ETH transfers. Meter compensates by issuing a new token, PASS, promising to buy back with future earnings, but it has not been implemented yet.

Ronin: Full compensation after $620 million stolen

In March 2022, the Ronin chain used by Axie Infinity suffered a major attack of $620 million.

The attack originated from social engineering techniques, with hackers infiltrating the system through fake recruitment and ultimately gaining control of multiple validation nodes. Although the stolen funds could not be recovered, the developer Sky Mavis successfully raised $150 million through financing to compensate users for their losses.

Wormhole: $326 million loss compensated instantly

In February 2022, the cross-chain protocol Wormhole was attacked, resulting in a loss of approximately $326 million.

The attack exploited a signature verification vulnerability in the Solana smart contract. The acquiring company, Jump Crypto, quickly replenished an equivalent amount of ETH, allowing Wormhole to resume operations.

EvoDeFi: Suspected Backdoor for Stealing User Assets

In June 2022, USDT on the Oasis ecosystem DEX ValleySwap suffered a severe depeg, resulting in an estimated loss of tens of millions of dollars.

The problem arises from the lack of liquidity on the source chain of the cross-chain bridge EVODeFi. There are speculations that user assets may have been stolen through a backdoor. Currently, the parties involved have not provided any solutions, and user losses cannot be recovered.

Horizon: Nearly $100 million in losses, compensation plan is still being developed

In June 2022, Harmony's official cross-chain bridge Horizon was attacked, resulting in a loss of approximately $100 million.

The official acknowledges that the attack may have been caused by a private key leak. They are currently negotiating with the community to formulate a new compensation plan.

Nomad: $190 million stolen, part of the funds may be recovered

In August 2022, the Nomad cross-chain bridges suffered a major attack of $190 million.

The attack originated from an initialization error during a contract upgrade. There is currently no clear compensation plan, but some white hat hackers have expressed their willingness to return the funds.

Summary

These cases indicate that even leading cross-chain bridges are facing serious security threats. In contrast, projects with strong backgrounds have an advantage in crisis management, often being able to better protect user interests. At the same time, effective real-time monitoring and rapid response mechanisms are also key to preventing attacks. The security issues of cross-chain bridges still require continuous attention and improvement from the industry.