Decentralized exchange (DEX) Uniswap (UNI) is launching a new bridge that will allow users to access other blockchains outside of Ethereum (ETH). In a new blog post, Uniswap Labs says that it’s launching the bridge in collaboration with Across Protocol (ACX), allowing users to swap crypto assets between nine different blockchains directly from the Uniswap […]
The post Uniswap Launches New Bridge Connecting DEX to Base, World Chain, Arbitrum and Others appeared first on The Daily Hodl.
Hundreds of potential exploiters appear to have drained all of the bridge’s $190 million in TVL in just a matter of hours.
The Nomad token bridge appears to have experienced a security exploit that has allowed hackers to systematically drain the bridge’s funds over a long series of transactions.
Nearly the entire $190.7 million in crypto has been removed from the bridge, with only $651.54 left remaining in the wallet, according to decentralized finance (DeFi) tracking platform DeFi Llama.
Nomad bridge is getting drained, your funds might be at risk and might be able to still withdraw the remaining funds ⚠️ https://t.co/RgYmjSV9eB
— stani.lens (,) (@StaniKulechov) August 1, 2022
The first suspicious transaction, which may have been the genesis of the ongoing exploit, came at 9:32pm UTC when someone managed to remove 100 Wrapped Bitcoin (WBTC) worth about $2.3 million tokens from the bridge.
Shortly after the community raised alarm bells over the potential exploit, the Nomad team confirmed at 11:35pm UTC that it was aware of the "incident involving the Nomad token bridge" adding it is "currently investigating the incident." The team did not immediately respond to a request for comment.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓) (@nomadxyz_) August 1, 2022
The incident has seen WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), GeroWallet (GERO), Card Starter (CARDS), Saddle DAO (SDL), and Charli3 (C3) tokens taken from the bridge.
Exploiters removed tokens in an unusual fashion as each token was removed in nearly equivalent denominations. For example, transactions with exactly 202,440.725413 USDC were executed over 200 times.
Nomad is a token bridge that allows transfers of tokens between Avalanche (AVAX), ethereum (ETH), Evmos (EVMOS), Milkomeda C1, and Moonbeam (GLMR).
Unlike other exploits that have become somewhat commonplace in 2022, this event so far has hundreds of addresses receiving tokens directly from the bridge.
Meanwhile, the Moonbeam smart contract platform from the Polkadot network, whose native GLMR token was one targeted in the Nomad exploit, went into maintenance mode at 11:18pm UTC “to investigate a security incident.” As a result, Moonbeam’s functionality such as regular user transactions and smart contract interactions will be disabled.
1/ Important Notice: The Moonbeam Network has gone into Maintenance Mode in order to investigate a security incident with a smart contract deployed on the network.
— Moonbeam Network #HarvestMoonbeam (@MoonbeamNetwork) August 1, 2022
The attack is untimely for the bridge which and its seed round investors from a fundraise in April. On July 29, the project revealed in a tweet that Coinbase Ventures, OpenSea, and five other major companies in the crypto industry participated in an April seed round fundraising which landed Nomad a $225 million valuation.
The layer-1 blockchain’s main bridge between Ethereum, Binance Chain, and Bitcoin has been exploited for nine figures, but says its BTC bridge has not been affected.
The Horizon Bridge to the Harmony One layer-1 blockchain has been exploited for $100 million in altcoins which are being swapped for Ether (ETH).
The hack may vindicate previously raised community concerns about the robustness of the two of four multisig that reportedly secures the bridge.
Starting at about 7:08 am until 7:26 am ET, 11 transactions were made from the bridge for various tokens. They have since begun sending tokens to a different wallet to swap for ETH on the Uniswap decentralized exchange (DEX), then sending the ETH back to the original wallet.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony (@harmonyprotocol) June 23, 2022
More
So far, Frax (FRAX), Wrapped Ether (WETH). Aave (AAVE), Sushi (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD). Dai (DAI), Tether (USDT), Wrapped BTC (WBTC), and USD Coin (USDC) have been stolen from the bridge through this exploit.
The Horizon Bridge facilitates token transfers between Harmony and the Ethereum network, Binance Chain and Bitcoin. Harmony, the operator of the bridge, announced late on June 23 that the bridge has been halted. It said the BTC bridge and its assets have not been affected by the attack.
The Harmony One team also said it was working with “national authorities and forensic specialists” to determine who is responsible. A post-mortem is sure to follow.
The developers and the co-founder of Harmony One Nick White did not respond to requests for comment. Harmony One is a layer-1 blockchain using proof-of-stake consensus. Its native token is ONE.
Concerns have previously been expressed as to the soundness of Horizon’s multisig wallet on Ethereum which only required two out of the four signees to drain the funds. A founder of Chainstride Capital crypto-focused venture fund Ape Dev noted on Twitter April 2 that the low number of required signers would leave the bridge open for “another 9 figure hack.”
The security of the bridge is currently predicated on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (i.e. drain the $330m). pic.twitter.com/sgYmyPrYgf
— Ape Dev (@_apedev) April 1, 2022
Ape Dev’s prediction appears to have become a reality as the bridge is now down $100 million in assets.
He is far from the only developer in crypto to have qualms with the security of token bridges.
Vitalik Buterin discussed the issues with token bridges in a Reddit post this January. He posited that when bridges get exploited, it threatens the liquidity on each chain affected. He added that as the amount of token bridges increases, the threat of a 51% attack on one chain could present greater contagion risk to others.
Since his prediction, Meter’s token bridge, Axie Inifinity’s Ronin Bridge and the Wormhole Bridge were each exploited for nearly a combined $1 billion.
The national authorities and forensic specialists should be investigating *you* to figure out what kind of broken security practices allowed this "theft" to happen.
— Chris Blec (@ChrisBlec) June 24, 2022
Multisigs are an ongoing security issue in attacks. The Ronin Bridge was secured by nine validators, only five of which were required to verify a transaction. The attacker took control of the required five validators and extracted over $600 million in assets.
Related: Chainalysis launches reporting service for businesses targeted in crypto-related cyberattacks
The market does not yet appear to have responded to the attack as prices of all the coins and tokens in question have not made a significant move. However, ONE has dropped 7.4% over the past 24 hours, with most of the fall coming in the past 5 hours. It is trading at $0.024 according to CoinGecko.
Soon after the launch of the Stacks Bridge, more token and NFT transfers will be supported so users can benefit from the security of Bitcoin and the speed of other chains.
Multi-chain token bridge Allbridge will become the first to offer Stacks (STX) transfers as part of a partnership with Bitcoin software developer Daemon Technologies.
STX is the native token for the Stacks Layer-1 blockchain which settles transactions on the Bitcoin (BTC) network. It currently has a market cap of $1.7 billion. Allbridge currently serves 12 blockchains including Ethereum, various Ethereum-compatible sidechains, Solana, Terra, and others.
A token bridge allows crypto from one blockchain to be transferred to another one. The new bridge will allow transfers between Stacks and all chains served by Allbridge.
The Stacks Bridge will go live in Q2 2022. It will initially only support transfers of STX, but is planned to support transfers of other Stacks protocol SIP010 tokens such as ALEX and the USDA stablecoin. There are also plans to enable NFT transfers between chains.
In a Feb. 10 announcement, Allbridge co-founder Andriy Velykyv expressed how the partnership will help serve the crypto community’s need for access to the Bitcoin ecosystem.
“Creating a bridge that allows for people to interact with Bitcoin-powered applications will help streamline processes that were previously only limited to a single chain and ecosystem.”
Daemon Technologies is providing a $140,000 grant to Allbridge to help facilitate growth of the bridge. Daemon Technologies founder Xan Ditkoff told Cointelegraph that partnering with Allbridge to create the Stacks Bridge will “allow users to come and use the assets within the network for whatever the use case is.”
Ditkoff illustrated what he sees as the beneficial interplay between Stacks’ utilization of the Bitcoin network’s security for transaction settlement and separate blockchains for higher throughput. He said: “It’s good for people who want to transact on faster networks, then bring their assets onto Bitcoin for security.”
The security of token bridges has been in the spotlight this month. In the past 2 weeks, there have been three hacks of token bridge smart contracts. On Feb. 3, $321 million in wETH was minted through the exploit of a bug on Wormhole’s smart contracts on Solana, which created an inorganic surplus of tokens on the blockchain.
Related: Major crypto firms and groups form coalition aimed at promoting 'market integrity'
Ditkoff brushed off security concerns related to the Allbridge token bridge. He said, “We have a lot of confidence in the Allbridge team.”
“It’s easy for people to forget that these bridges are so new. How long have people been coding with Solana’s VM? Everything is still at the bleeding edge.”
Ethereum creator Vitalik Buterin made an eerily well-timed warning to the crypto community by writing in an early January Reddit post that there are “fundamental security limits of bridges.”
Ditkoff refuted Vitalik’s statement in saying, “I have a hard time seeing a future when bridges are not a huge part of the ecosystem,” and continued:
“The logic behind Vitalik’s words would be that everything settles on one chain that is optimized for the one thing that (Proof-of-Work) is made for: byzantine fault tolerance. Bitcoin doing that better than anything in human history will have an impact on whether one chain eventually dominates.”
The token bridge between Ethereum and Solana saw 120K wETH tokens removed from the platform and distributed between the hacker’s Solana and ETH wallets.
The Wormhole token bridge experienced a security exploit today, resulting in the loss of 120,000 wETH tokens ($321 million) from the platform.
Wormhole is a token bridge that allows users to send and receive crypto between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without the use of a centralized exchange (CEX). This is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The Wormhole team has offered a $10M bug bounty for the return of the funds.
The hack took place on the Solana side of the bridge and there are fears Wormhole’s bridge to Terra could be similarly vulnerable.
The Wormhole team has assured the community that its ETH supply would be replenished to “ensure wETH is backed 1:1,” but there is no word yet on where those funds will come from or when.
The wormhole network was exploited for 120k wETH.
— Wormhole (@wormholecrypto) February 2, 2022
ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.
We are working to get the network back up quickly. Thanks for your patience.
The hack took place at 6:24pm UTC on Feb. 2. The attacker minted 120,000 wETH (WETH) on Solana, then redeemed 93,750 WETH for ETH worth $254 million onto the Ethereum network at 6:28pm UTC. The hacker has since used some funds to buy SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token (APE).
The remaining WETH was swapped for SOL and USDC on Solana. The hacker’s Solana wallet currently holds 432,662 SOL ($44 million).
No other assets or chains served by Wormhole have been reported affected, but smart contract auditing firm Certik said in a report today that “It is possible that Wormhole’s bridge to the Terra blockchain shares the same vulnerability as their Solana bridge.”
The Wormhole team contacted the hacker through their Ethereum address to offered to let the hacker keep $10 million worth of funds stolen if the remaining funds are returned.
“This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at contact@certus.one”
As of the time of writing, wETH tokens sent across the bridge are not yet redeemable while the Wormhole team attempts to fix the exploit.
This is the second smart contract exploit on a token bridge in a week. On Jan. 28, Qubit Finance’s QBridge was exploited for $80 million on BSC. It is also reminiscent of the Poly Network hack last August wherein $610 million in crypto was stolen off the platform. In that case, nearly all of the funds were returned by the whitehat hacker.
Related: $2.5B in stolen BTC from Bitfinex hack awakens
The frequency of smart contract hacks on token bridges serves to validate Vitalik Buterin’s Jan. 7 warning that there are “fundamental security limits of bridges.” The Ethereum co-founder’s admonition was within the context of a 51% attack on Ethereum, but his advice was well-timed as he pointed out the general vulnerability apparent on bridges that send tokens across layer-1 blockchains.
