5 Times Whitehat Hackers Saved the Bridges from Collapsing

Jul 22, 2022

While we are heads down building safe bridges, hackers sense an opportunity to find a chink in the armor. The sad reality is that while bridges are necessary for the multi-chain or cross-chain ecosystem we find ourselves in, they are also the weakest link. As a result, bridges have become prime targets for hackers, and unfortunately, 4 out of the top 10 biggest hacks in the history of DeFi are bridges:

Ronin Bridge ($624M) — hackers (attributed to the Lazarus group from North Korea) used social engineering techniques to run a phishing attack on the validators of Ronin bridge. They managed to gain control over 5/9 private keys of Ronin validators and drained the funds from the bridge contract.

Poly Network ($611M) — hackers found a loophole in the admin privileges of Poly Network’s smart contracts and forced the system to empty its wallet.

Wormhole ($326M) — the hackers exploited a security problem in the smart contract’s code and minted over 120k wETH.

Harmoney’s Horizon Bridge ($100M) — another social engineering attack where the hackers (Lazarus group) gained access to the private keys of validators and thus were able to authorize a false transaction.

According to the Rekt database, at least 80% of the lost assets in 2022 have been stolen from hacked bridges. Moreover, if you listen to giga brains like Arjun Bhuptani, the first $1B bridge hack is bound to happen.

Arjun | xcall me maybe @arjunbhuptani

1. PolyNetwork -> Wormhole -> Ronin. There's a clear trend that these hacks are getting more and more devastating. 📈 Expect this trend to continue as multisig bridges scale and liquidity fragments further across chains. The next big bridge hack will be for $1b+.

But what if I told you that while we’ve already lost over a billion dollars in bridge hacks, things could have been far worse than they are today? It’s true! While bridges are honey pots for hackers, and multiple attempts have been made to hack different bridges, the attempts are not always successful, thanks to whitehat hackers (a whitehat hacker is an ethical security hacker).

Here are five instances where bridges have been saved by whitehats:

1. Wormhole — rewarded @satya0x $10 million for disclosing a critical bug in Wormhole’s core bridge contract on Ethereum on February 24, 2022. The bug was an upgradeable proxy implementation self-destruct bug linked to Wormhole’s ability to upgrade their smart contract. If the bug had been exploited, the hacker could have gained access to all the funds locked in Wormhole’s smart contracts.

Immunefi @immunefi

Whitehat satya0x reported a critical vulnerability in @wormholecrypto on Feb 24 via Immunefi. The bug was quickly patched, no user funds were affected, and satya0x received a $10 million payout from Wormhole, the largest bounty payout on record.

medium.comWormhole Uninitialized Proxy Bugfix ReviewSummary

2. Polygon Plasma Bridge — rewarded Gerhard Wagner $2 million for finding a bug in the Polygon Plasma Bridge on October 5, 2021. The whitehat hacker prevented a potential $850M hack, as the discovered vulnerability would have allowed an attacker to “exit their burn transaction from the bridge multiple times, up to 223 times.”

Gerhard Wagner @g3rh4rdw4gn3r

I just published a write up on the double spending bug I found in @0xPolygon's Plasma bridge gerhard-wagner.medium.com/double-spendin… and submitted through @immunefi

gerhard-wagner.medium.comDouble spending bug in Polygon’s Plasma bridgeI thought I was out of the security game for a while now and that my interests have moved on to other fields. Last week I came back from an…

3. Optimism — rewarded Jay Freeman $2,000,042 for reporting a critical vulnerability in the Optimism protocol on February 2, 2022. The bug would have allowed an attacker to print an unlimited amount of ETH, exploiting a vulnerability found in OVM 2.0.

Note: Rollups like Optimism are considered the safest implementation of bridges as they leverage L1 for verifying the validity of state transitions for L2s using fraud proofs.

Optimism (✨🔴_🔴✨) @optimismFND

We're very excited to announce the launch of the Optimism bug bounty program with @immunefi. Earn up to $2mm for critical bug discoveries! Full details of the program, including what’s in scope and specific guidelines can be found at

Immunefi @immunefi

NEW BIG BOUNTY: $2,000,0042 👀 @optimismPBC has just launched their bug bounty program on Immunefi! Optimism: Scaling Ethereum's present to provide funding for its future. Find bugs. Get yourself OVER $2 Million Dollars. https://t.co/A6g42ycVnu #defi #immunefi #optimism

4. Poly Network — hackers returned all of the user funds on Ethereum (except the $33 million in frozen USDT). They claimed to do the hack “for fun” because “cross-chain hacking is hot.” The Poly Network team offered a $500,000 reward, but the whitehat hacker did not accept it.

Poly Network @PolyNetwork2

#PolyNetwork has no intention of holding #mrwhitehat legally responsible and cordially invites him to be our Chief Security Advisor. $500,000 bounty is on the way. Whatever #mrwhitehat chooses to do with the bounty in the end, we have no objections.

link.medium.comLatest Updates(AUG 17）To everyone who remains concerned and has been keeping up with the progress on Poly Network,

5. Aurora’s Rainbow Bridge — rewarded pwning.eth with $6,000,000 for submitting a critical vulnerability in Aurora’s Rainbow bridge on April 26, 2022. The vulnerability consisted of an infinite loop spend bug, which could have led to an exploit of 70,000 ETH and $200M in other assets.

pwning.eth @PwningEth

1/ Hey I’m pwning.eth! A few months ago, I reported a critical bug in the @auroraisnear Aurora Engine - a layer 2 EVM solution built for the @NEARProtocol. The catch got me a $6M payout, the 2nd highest payout in history! Here’s some background,

pwning.eth is now the proud holder of Immunefi’s Whitehat Hall Of Fame NFT for his work with Aurora’s vulnerability.

While we’re talking about Rainbow Bridge, it’s important to mention the bridge watchdogs who stopped a different attack on Rainbow Bridge in its tracks. This was not precisely a whitehack event. But, in a world that calls itself decentralized, autonomous, and cryptographically secured, this is what it looks like for a "white hat" to act on-chain. The sad part, however, is that the MEV bot front-ran the watchdog to gain 2.5 ETH :/

Alex Shevchenko 🇺🇦 @AlexAuroraDev

🧵 on the Rainbow Bridge attack today. TL;DR: attack was stopped automatically, no bridged funds lost, attacker lost some money, bridge architecture was designed to resist such attacks, additional measures to be taken to ensure the cost of an attack attempt is increased

To conclude, whitehat hackers play a pivotal role in the crypto ecosystem, and bridges (and other projects) should continuously run bug bounties to incentivize them and prevent exploits. If you’re a bridge builder, make your code open-sourced and accessible so it’s easier for whitehat hackers to review it.

Some ongoing bridge bug bounties on Immunefi include:

Wormhole – up to $10M
Multichain – up to $2M
Celer (cBridge) – up to $2M
Polygon – up to $2M
Arbitrum – up to $2M
Optimism – up to $2M
RenVM – up to $1M
Axelar – up to $1M
Nomad – up to $1M
Router Protocol – up to $200k
deBridge – up to $200k
Gravity Bridge – up to $200k
Connext – up to $100k

Get Started with LI.FI Today

To learn more about us,

Head to our link portal at links.li.fi
Read our SDK ‘quick start’ at docs.li.fi
Join the official Discord server
Follow our Telegram Newsletter
Follow us on Twitter & LinkedIn

or try our any-2-any swaps NOW at transferto.xyz

interop/acc

Discussion about this post