BBX Logo Beta

--

Cross chain bridge/protocol attacks are often similar, essentially exploiting the structural weaknesses of cross chain mechanisms. Cross chain protocols lock/hold a large amount of native assets (or liquidity), forming a 'honeypot'. The impact of THORChain on BTC, ETH, BSC, and Base multi chains this time is also due to the dispersed funds but unified verification/routing logic. From a historical perspective, the current attack vectors for cross chain bridges/protocols include: 1. Wormhole's $320 million hacking incident in 2022 resulted in a signature verification bug, which constitutes a signature/verification bypass. 2. Nomad's $190 million hacking incident in 2022: Configuration error resulted in arbitrary message passing, which is a contract logic error. Ronin's $625 million hacking incident in 2022: 5/9 keys were stolen, belonging to multi signature/key breach. THORChain drew funds through the Router contract and Vaults this time, which is similar to the "burn mint" or swap logic vulnerability of many liquidity bridges, belonging to the Router/Vault/Bridge vulnerability. Between 2022 and 2026, bridge/cross chain related losses will exceed approximately $2.8 billion, accounting for a significant proportion of DeFi's total hacker losses, just after last month's Kelp incident (LayerZero bridge, $290 million). Why do cross chain bridges/protocols always have problems? Cross chain essentially connects chains with different security models, introducing additional complexity and trust assumptions, and having a larger attack surface than single chain DeFi: Involving multi chain smart contracts and off chain components (validators, Relayer, Oracle). The security of one chain does not equal the overall security. Any problem with the code, message passing, or validation logic on the bridge could result in a complete crash. Some trust models of bridges/protocols are also not perfect, such as relying on multiple signatures/a small number of validators (low threshold and easy to be breached); Complex message verification (leading to false deposit events, signature forgery, replay attacks); Upgrade/configuration risks (upgradable contracts or parameter errors are often exploited).

Loading...