Two cross-chain protocols hacked in a week

Two cross-chain protocols hacked in a week

❎ Cross-chain protocols play important role in building a multi-blockchain world, but they are not without flaws.

This week saw not one, but two hacks involving bridges: Wormhole and Qbridge.

?️ Wormhole, an interoperability protocol bridging Solana and Ethereum, was exploited yesterday on the Solana side.

As most bridges, Wormhole uses a two-way peg to simulate the experience of interoperability: to “transfer” tokens from one blockchain to another, a token is frozen on one, and a wrapped version of it minted on the other. The protocol maintained the 1:1 balance, assuring users can switch from a token to a wrapped token at any times… until a hacker found a vulnerability and minted themselves 120k WETH (wrapped ethers), an equivalent of $300M.

The vulnerability concerned the Solana validator action approval (the attacker used a fake system program to make it look like the bridge guardians have signed off on an inexistent 120k ETH deposit). It has since been patched, and the Wormhole promised to add 120 ETH to restore the balance.

? QBridge is a part of Qubit Finance DeFi protocol on BSC. On January 27th an attacker exploited a logic flaw in its code to trick the protocol into believing that inexistent funds were deposited, then minted wrapped ethers, which were used to drain $80M worth of BNB from the QBridge.

? Both Wormhole and QBridge are proposing bounties to their respective attackers – many crypto hacks have indeed ended in hackers becoming white hats and returning the funds. So far, however, noone responded.

Vitalik Buterin once noted his pessimism about cross-chain bridges, which, according to him, have fundamental security limits.
The recent hacks either proved him right, or gave interoperability developers more mistakes to learn on, making bridges more secure.

What do you think?