The year 2021 was marked by multiple DeFi frauds, with rug-pulls and exit scams being among the most popular. It looks like 2022 is going to outplay 2021 not only by the number of hacker attacks but also by the volume of funds stolen. This time, hackers are shifting to blockchain bridges.
February was marked by one of the most expensive DeFi hacks to date. Hackers managed to steal more than $320 million in wETH from Wormhole - a blockchain bridge that enables the transfer of funds between the Ethereum and Solana blockchains.
The attacker exploited a bug in Wormhole’s code that was part of the deprecated function that enabled bypassing the signature verification.
What I find interesting is the fact that the attack was conducted after the code was updated in the GitHub repository. The update revealed a fix to the bug.
Some hours later, the bridge was hacked.
I agree with Information Security Architect Matthew Garret who said that publishing this update without implementing it in production was a mistake.
It revealed the vulnerability to the public by basically explaining what the vulnerability was.. It is not surprising that somebody took advantage of this.
Another detail that attracts my attention is the code. It doesn’t look like a common update but instead, contains extensive changes. That’s why for a hacker, to figure out that the changes were not implemented in the production only took moments. The hacker forged a signature verification that allowed him to mint 120K wETH (approx. $320 million) without depositing funds first. Then, the stolen funds were moved to the hacker’s wallet.
The Wormhole team managed to find out which ETH address was involved in the exploit.
They offered the attacker a $10 million bounty if he returned the funds. The message with the offer was embedded as text in a transaction sent to the wallet.
As of now, the funds have not been returned, and the value of SOL dropped by 10% after the hack.
Some time later, the Ronin bridge that was used by Axie Infinity players to transfer assets between the Ronin network and the Ethereum blockchain was attacked by using private keys. These were cryptographic keys used to sign transactions. With them, hackers transferred funds from five of nine validator nodes on Ronin. The hackers managed to escape with $622 million in ETH and USDC.
Sky Mavis, the developer behind the game, named an Ethereum wallet as the Ronin attacker, and the United States Department of the Treasury linked the wallet to the North Korean hacking group Lazarus. The note about the first crypto project backed by the government also indicates a connection with Lazarus as they are government-backed.
The Treasury’s Office of Foreign Asset Control (OFAC) added the wallet to its list of sanctions tied to Lazarus.
For Lazarus, it is common to use Tornado Cash which is a transaction mixing service that makes it more difficult to trace cryptocurrency movement between wallets. This time, Tornado Cash announced that it will block any address listed by the OFAC.
That’s why it was impossible for the wallet to launder funds through Tornado Cash. It starts by sending massive amounts in ETH to more wallets. This enabled the OFAC to find out what other wallets are involved in the hack and list them as linked to Lazarus.
Axie Infinity has recovered from the hack by hard forking the protocol and raising funds to reimburse users. Binance was leading the funding round, accompanied by Animoca Brands, Andreessen Horowitz, and Paradigm, among others. Binance also managed to recover $5.8 million in funds sent to the platform by the listed wallets.
On the 23rd of June 2022, the Harmony Horizon bridge was hacked which resulted in a massive loss of $100 million.
The bridge relies on a transaction validation process to transfer funds. Normally, a multi-signature scheme with five validators is applied by bridges, but not in the case of Harmony Horizon. The bridge used a 2 or 5 validator scheme, which means that attackers had to compromise two blockchain accounts to approve any transaction.
The attacker managed to steal two private keys as only they were needed to approve any transaction. They then extracted $100 million from the bridge all the while having money laundered through Tornado Cash.
Harmony published a post requesting the criminal to return the funds in exchange for stopping the investigation.
The company also managed to identify the wallet involved in the hack, along with some other wallets that were sent significant sums in ETH from the Horizon Bridge exploiter.
Unlike with the majority of hacks, the story doesn’t end here. Multiple AAG coins (the native coin of metaverse software company AAG Ventures) were stolen from Harmony. The company lost coin amounting to $84 million.
AAG partnered with Lossless DeFi and has applied their mitigation tool to protect its funds. It represents the industry’s first framework for exploit mitigation.
Only one day before the attack, Lossless launched their protocol on Harmony. So, they managed to intervene in the event of the attack as soon as the theft was announced and freeze $78 million in AAG coins. Lossless announced on Twitter when the coins were recovered.
Further, the retrieved AAG coins were successfully sent to the AAG Ventures wallet.
All the major attacks are performed on blockchain bridges. It demonstrates that this technology, even though highly necessary, needs to be improved. The smallest flaw in code may lead to huge losses that are frequently lost forever for users. I believe that while the technology of blockchain bridges is improving, exploit mitigation solutions like the one offered by Lossless will also grow in importance.