First release: Three “bridge bombing cases” in ten days, V God pointed out that the security risk of cross-chain bridges may destroy the future of multi-chain

This article was originally created by the Certik Chinese community, authorized by Golden Finance for the first time, please indicate the source for reprinting

With the development of blockchain technology and the emergence of various new growth, the cryptocurrency ecosystem has created more security risks and complexities.

On the basis of 2021, there is another “power player” on the attack track in 2022.

As a new attack vector, the cross-chain bridge has not yet matured in terms of security. Therefore, cross-chain bridges are also one of the areas where all projects and developers should be vigilant.

Before the Spring Festival holiday in 2022, there were two major attacks on the cross-chain bridge. Counting another similar incident before the Spring Festival, the three attacks in just 10 days made the hackers “proud” in the cross-chain bridge. people” results.


Before understanding these events, we need to know what a cross-chain bridge is and how it works.

In a relatively simple description: bridges transfer assets from one blockchain to another.

Cross-chain transactions

The steps of cross-chain transaction are as follows:

1. The user “deposits” tokens into a “bridge contract” on a chain and generates a proof specifying the required cross-chain information (e.g., the number of tokens to withdraw and recipient addresses).

2. The bridge contract verifies the proof, and then on the target chain the user can “withdraw” tokens from the bridge contract.

In three recent incidents, attackers injected deceptive data, bypassing verification, and withdrawing the corresponding tokens on the target chain to specified addresses.


Common attack vectors on Bridges

Qubit Bridge Vulnerability Incident

The attacker forged data to bypass the bridge contract’s data authenticity check, allowing the bridge contract to generate a false proof of time that the attacker has deposited without providing any cryptocurrency.

The underlying reason is that ETH and ERC-20 deposits share the same proof of event. This allows an attacker to call this function to generate a fake ETH deposit event proof using a non-existent ERC20 deposit fact and use it to withdraw ETH on another chain.

In this case the vulnerability in the contract is triggered – the “safeTransferFrom” function does not fallback when the token address is EOA (eg address(0)). Therefore, the attacker obtains the proof without sending any tokens to the contract.



Meter Bridge Vulnerability Incident

The vulnerability is similar to the Qubit bridge vulnerability – the attacker bypasses the bridge contract by providing a non-existing token proof to the bridge and thus bypasses the verification process, allowing the token to be withdrawn on another chain.

The Bridge contract provides two methods: deposit and depositETH. However, both methods produce the same proof of deposit event, and the deposit function does not block WETH/WBNB deposit transactions, nor does it destroy or lock WETH/WBNB.

By using the deposit, the hacker made the bridge contract generate a fake WETH/WBNB deposit event proof without any real deposit.



Solana Cross-Chain Bridge Wormhole Event

In the Solana wormhole vulnerability incident, the attacker bypassed the “verify signature” by injecting a malicious “sysvar account” into the instruction, and forged a message to mint Wormhole-wrapped Ether.

The root cause of this vulnerability is that during the verification signature process (“verify_signatures”), the program uses a “load_current_index” function that was deprecated when Solana was updated to 1.8.0. The function does not verify that the entered “sysvar account” is really “system sysvar”, allowing an attacker to forge this critical account.

After that, the attacker used this fake account to generate fake minting information, and then extracted the corresponding real tokens on the target chain according to the obtained minting coins.


Three “bridge bombing cases” summary

Qubit and’s bridge code fails to handle critical situations, that is, the contract’s ERC20 deposit function can be used to generate a fake ETH/BNB deposit event proof, which becomes a proof of real ETH/BNB withdrawal on the target chain .

Wormhole bridge is the “sysvar account” injected by its contract unverified caller, thus producing false minting information.

All in all, all three of the above incidents were caused by flaws in the verification process.

How to deal with such vulnerabilities?

There are some key lessons we can draw from the above attack:

1. For different functions, such as ERC20 deposit and ETH/BNB deposit, the contract should generate different event proofs.

2. Always remember to validate user injected input.

3. Pay close attention to recent vulnerability events and check other projects for similar situations.

4. The core contract of each bridge needs to be audited accordingly.

In addition, when this vulnerability occurs, we should:

1. Stop relaying the message layer and suspend token transmission. The bridge contract should also suspend all deposit and withdrawal functions.

2. Immediately notify the community, exchanges and platform partners to monitor the flow of funds.

3. Establish communication channels with authoritative security experts for effective discussion and information sharing.

4. Identify, validate and remediate vulnerabilities. Timely testing to ensure that existing vulnerabilities are resolved and no new ones are created, and the bridge contract is upgraded.

5. Assess damage and communicate candidly with the community about the amount of assets exploited, recoverable assets, and compensation plans

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-02-12 08:20
Next 2022-02-12 08:26

Related articles