In this post, I want to talk about the three biggest hacks in the history of cryptocurrencies that happened in cross-chain space recently. I will also describe the technical details of these hacks.
The first and the largest one is the Ronin bridge hack that happened in March 2022. Approximately $624 million worth of tokens got stolen. This hack was not noticed until 6 days after it happened! The second one is Poly Network which got hacked in Aug 2021. In this attack, more than $600 million worth of tokens were stolen. Fortunately, the funds got returned to the network by the hacker. The last hack I want to talk about happened on Wormhole in Feb 2022. This time $326 million got stolen.
This attack which is the biggest in the history of crypto, happened on Ronin bridge which was created for the famous Axie game. This bridge provides high TPS but sacrifices decentralization and security to do so. The attack was a traditional social engineering attack, rather than a specific vulnerability in the contracts. Let’s see how it all happened.
Ronin bridge had a set of 9 validators and signatures of 5 of them were needed for a transaction to be executed in the bridge (it was the Proof of Authority model in which no power or fund processing is needed, only the reputation of the validators was important). Four of these validators were operated by Sky Mavis. In November 2021, Axie DAO gave permission to Sky Mavis to sign transactions on their behalf, to increase the throughput of the system. The permission was only used for about a month, but the allowance was never revoked. So, Sky Mavis could still create signatures for Axie DAO.
The hacker was able to compromise the validators from Sky Mavis and use their four signatures. Plus, they generated one extra signature on behalf of Axie DAO using the contract that gave permission to Sky Mavis to do so, ending up with all five signatures needed for approving deposits and withdrawals in the system. In the end, the hacker authorized two withdrawals, draining 173,600 ETH and 25.5 million USDC from the Ronin bridge contract.
Ronin bridge team found out about the exploit only after a user reported that he was unable to withdraw 5k ETH from the bridge which was 6 days after the attack. It shows the team did not have basic monitoring of their system.
Now, most of the stolen funds are in the hacker’s wallet:
Ronin bridge team says: “Moving forward, the threshold will be eight out of nine. We will be expanding the validator set over time, on an expedited timeline.” to lower the security risk, as they point out here.
Unlike many attacks where the hacker gets a flash loan and modifies the prices to be able to steal funds, in this case, the hacker directly found a vulnerability in the smart contracts and used it to attack the system. The hacker set the input of a smart contract to access another smart contract that no one should access. The second smart contract gave the power to the hacker to withdraw any amount of funds for themselves.
Let’s see how the hacker was able to steal the funds from this validator-based bridge in more detail. Poly has a very important contract named EthCrossChainData that holds the public keys of validators. If someone could manage to access the function in this contract that changes the validator’s public key, they could put their own public key in, then, construct a transaction at will and withdraw any amount of funds from the contract. However, for the protocol’s security, the function that can change the validators' public keys is protected by the OnlyOwner condition, so that no one can call it except its owner. Now let’s find out who is the owner of this contract. The owner is another contract named EthCrossChainManager who can call EthCrossChainData and pass the OnlyOwner condition.
Contract EthCrossChainManager has a function named verifyHeaderAndExecuteTx. Anyone can call this function to execute cross-chain transactions. This function itself makes a contract call while being executed. Here the critical issue existed. There was a way for the hacker to trick the EthCrossChainManager to call EthCrossChainData instead of the original contract call.
The rest of it is pretty easy, the hacker has to find the correct input to use EthCrossChainManager call EthCrossChainData, and trick it into giving them permission to withdraw funds.
Well, this way attacker stole more than $600 million worth of tokens from this network. However, this story had a happy ending. The hacker and Poly Network team started to communicate publicly. After Ploy Network begged the hacker to give the funds back, the hacker decided to give back “some tokens”. The hacker even claimed that they are not interested in the money and may abandon it. Probably it was too hard for the attacker to launder that money. After lots of messages, finally, the hacker announced that they are “ready to surrender” and gave the funds back.
In this case, the hacker was able to exploit a vulnerability in Wormhole to steal 120k ETH. The bridge was manipulated to credit this amount as having been deposited by the hacker. So, the hacker was able to mint the equivalent amount of whETH (Wormhole wrapped ETH) on Solana.
Wormhole is a validator-based bridge that has two main contracts, one on Ethereum and one on Solana. The contract on Solana checks the signatures of a message signed by the guardians (validators) and says which token to mint and how much. If the signatures are valid, it will execute the order. The hacker created a SignatureSet to bypass guardians of Wormhole bridge. The signature verification in Wormhole, was outsourced to another program, and the contract was not checking the correctness of the signature checking program, so, the hacker substituted his own program for checking the signatures. The hack happened a few hours after a new commit was pushed to GitHub. This new commit added the required check for the correctness of the program, but, before the team get the chance to deploy this change, the hacker used this vulnerability to perform the attack.
The Wormhole contract didn’t verify the address provided by the hacker correctly. It accepted the address containing only 0.1 ETH and gave the credit to the hacker to mint 120k whETH on Solana. After that, the hacker unwrapped 93,750 ETH back to Ethereum over the course of three transactions. The remaining whETH was liquidated on Solana.
After the exploit happened, the Wormhole team sent an on-chain message to the hacker to offer a bug bounty of $10M for exploit details and returning the stolen funds. But, they got no reply. However, the stolen funds got replaced by their backers very quickly.