LI.FI - The Cross-Chain Insider Newsletter

Share this post

5 Times Whitehat Hackers Saved the Bridges from Collapsing

lifi.substack.com

Discover more from LI.FI - The Cross-Chain Insider Newsletter

The Cross-Chain Insider is LI.FI's newsletter about everything cross-chain.
Over 14,000 subscribers
Continue reading
Sign in

5 Times Whitehat Hackers Saved the Bridges from Collapsing

Arjun Chand
Jul 22, 2022
3
Share this post

5 Times Whitehat Hackers Saved the Bridges from Collapsing

lifi.substack.com
Share

While we are heads down building safe bridges, hackers sense an opportunity to find a chink in the armor. The sad reality is that while bridges are necessary for the multi-chain or cross-chain ecosystem we find ourselves in, they are also the weakest link. As a result, bridges have become prime targets for hackers, and unfortunately, 4 out of the top 10 biggest hacks in the history of DeFi are bridges:

  • Ronin Bridge ($624M) — hackers (attributed to the Lazarus group from North Korea) used social engineering techniques to run a phishing attack on the validators of Ronin bridge. They managed to gain control over 5/9 private keys of Ronin validators and drained the funds from the bridge contract.

  • Poly Network ($611M) — hackers found a loophole in the admin privileges of Poly Network’s smart contracts and forced the system to empty its wallet.

  • Wormhole ($326M) — the hackers exploited a security problem in the smart contract’s code and minted over 120k wETH.

  • Harmoney’s Horizon Bridge ($100M) — another social engineering attack where the hackers (Lazarus group) gained access to the private keys of validators and thus were able to authorize a false transaction.

According to the Rekt database, at least 80% of the lost assets in 2022 have been stolen from hacked bridges. Moreover, if you listen to giga brains like Arjun Bhuptani, the first $1B bridge hack is bound to happen.

Twitter avatar for @arjunbhuptani
Arjun | xcall me maybe @arjunbhuptani
1. PolyNetwork -> Wormhole -> Ronin. There's a clear trend that these hacks are getting more and more devastating. 📈 Expect this trend to continue as multisig bridges scale and liquidity fragments further across chains. The next big bridge hack will be for $1b+.
5:40 PM ∙ Mar 29, 2022
43Likes7Retweets

But what if I told you that while we’ve already lost over a billion dollars in bridge hacks, things could have been far worse than they are today? It’s true! While bridges are honey pots for hackers, and multiple attempts have been made to hack different bridges, the attempts are not always successful, thanks to whitehat hackers (a whitehat hacker is an ethical security hacker). 

Here are five instances where bridges have been saved by whitehats:

1. Wormhole — rewarded @satya0x $10 million for disclosing a critical bug in Wormhole’s core bridge contract on Ethereum on February 24, 2022. The bug was an upgradeable proxy implementation self-destruct bug linked to Wormhole’s ability to upgrade their smart contract. If the bug had been exploited, the hacker could have gained access to all the funds locked in Wormhole’s smart contracts.

Twitter avatar for @immunefi
Immunefi @immunefi
Whitehat satya0x reported a critical vulnerability in @wormholecrypto on Feb 24 via Immunefi. The bug was quickly patched, no user funds were affected, and satya0x received a $10 million payout from Wormhole, the largest bounty payout on record.
medium.comWormhole Uninitialized Proxy Bugfix ReviewSummary
4:51 PM ∙ May 20, 2022
1,177Likes267Retweets

2. Polygon Plasma Bridge — rewarded Gerhard Wagner $2 million for finding a bug in the Polygon Plasma Bridge on October 5, 2021. The whitehat hacker prevented a potential $850M hack, as the discovered vulnerability would have allowed an attacker to “exit their burn transaction from the bridge multiple times, up to 223 times.”

Twitter avatar for @g3rh4rdw4gn3r
Gerhard Wagner @g3rh4rdw4gn3r
I just published a write up on the double spending bug I found in @0xPolygon's Plasma bridge gerhard-wagner.medium.com/double-spendin… and submitted through @immunefi
gerhard-wagner.medium.comDouble spending bug in Polygon’s Plasma bridgeI thought I was out of the security game for a while now and that my interests have moved on to other fields. Last week I came back from an…
12:56 PM ∙ Oct 21, 2021
980Likes240Retweets

3. Optimism — rewarded Jay Freeman $2,000,042 for reporting a critical vulnerability in the Optimism protocol on February 2, 2022. The bug would have allowed an attacker to print an unlimited amount of ETH, exploiting a vulnerability found in OVM 2.0.

Note: Rollups like Optimism are considered the safest implementation of bridges as they leverage L1 for verifying the validity of state transitions for L2s using fraud proofs.

Twitter avatar for @optimismFND
Optimism (✨🔴_🔴✨) @optimismFND
We're very excited to announce the launch of the Optimism bug bounty program with @immunefi. Earn up to $2mm for critical bug discoveries! Full details of the program, including what’s in scope and specific guidelines can be found at
Twitter avatar for @immunefi
Immunefi @immunefi
NEW BIG BOUNTY: $2,000,0042 👀 @optimismPBC has just launched their bug bounty program on Immunefi! Optimism: Scaling Ethereum's present to provide funding for its future. Find bugs. Get yourself OVER $2 Million Dollars. https://t.co/A6g42ycVnu #defi #immunefi #optimism
4:50 PM ∙ Jan 13, 2022
113Likes45Retweets

4. Poly Network — hackers returned all of the user funds on Ethereum (except the $33 million in frozen USDT). They claimed to do the hack “for fun” because “cross-chain hacking is hot.” The Poly Network team offered a $500,000 reward, but the whitehat hacker did not accept it.

Twitter avatar for @PolyNetwork2
Poly Network @PolyNetwork2
#PolyNetwork has no intention of holding #mrwhitehat legally responsible and cordially invites him to be our Chief Security Advisor. $500,000 bounty is on the way. Whatever #mrwhitehat chooses to do with the bounty in the end, we have no objections.
link.medium.comLatest Updates(AUG 17)To everyone who remains concerned and has been keeping up with the progress on Poly Network,
10:13 AM ∙ Aug 17, 2021
475Likes107Retweets

5. Aurora’s Rainbow Bridge — rewarded pwning.eth with $6,000,000 for submitting a critical vulnerability in Aurora’s Rainbow bridge on April 26, 2022. The vulnerability consisted of an infinite loop spend bug, which could have led to an exploit of 70,000 ETH and $200M in other assets.

Twitter avatar for @PwningEth
pwning.eth @PwningEth
1/ Hey I’m pwning.eth! A few months ago, I reported a critical bug in the @auroraisnear Aurora Engine - a layer 2 EVM solution built for the @NEARProtocol. The catch got me a $6M payout, the 2nd highest payout in history! Here’s some background,
3:55 PM ∙ Jun 18, 2022
76Likes18Retweets

pwning.eth is now the proud holder of Immunefi’s Whitehat Hall Of Fame NFT for his work with Aurora’s vulnerability.

Yes, I right-click, save-d that NFT 🙃

While we’re talking about Rainbow Bridge, it’s important to mention the bridge watchdogs who stopped a different attack on Rainbow Bridge in its tracks. This was not precisely a whitehack event. But, in a world that calls itself decentralized, autonomous, and cryptographically secured, this is what it looks like for a "white hat" to act on-chain. The sad part, however, is that the MEV bot front-ran the watchdog to gain 2.5 ETH :/

Twitter avatar for @AlexAuroraDev
Alex Shevchenko 🇺🇦 @AlexAuroraDev
🧵 on the Rainbow Bridge attack today. TL;DR: attack was stopped automatically, no bridged funds lost, attacker lost some money, bridge architecture was designed to resist such attacks, additional measures to be taken to ensure the cost of an attack attempt is increased
5:01 PM ∙ May 1, 2022
2,042Likes454Retweets

To conclude, whitehat hackers play a pivotal role in the crypto ecosystem, and bridges (and other projects) should continuously run bug bounties to incentivize them and prevent exploits. If you’re a bridge builder, make your code open-sourced and accessible so it’s easier for whitehat hackers to review it. 

Some ongoing bridge bug bounties on Immunefi include:

  • Wormhole – up to $10M

  • Multichain – up to $2M

  • Celer (cBridge) – up to $2M

  • Polygon – up to $2M

  • Arbitrum – up to $2M

  • Optimism – up to $2M

  • RenVM – up to $1M

  • Axelar – up to $1M

  • Nomad – up to $1M

  • Router Protocol – up to $200k

  • deBridge – up to $200k

  • Gravity Bridge – up to $200k

  • Connext – up to $100k

Thanks for reading LI.FI - The Cross-Chain Insider Newsletter! Subscribe for free to receive new posts and support my work.

Get Started with LI.FI Today

To learn more about us,

  • Head to our link portal at links.li.fi

  • Read our SDK ‘quick start’ at docs.li.fi

  • Join the official Discord server

  • Follow our Telegram Newsletter

  • Follow us on Twitter & LinkedIn

or try our any-2-any swaps NOW at transferto.xyz

3
Share this post

5 Times Whitehat Hackers Saved the Bridges from Collapsing

lifi.substack.com
Share
Comments
Top
New
Community

No posts

Ready for more?

© 2023 LI.FI
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing