Bridge Hack List

bridge_hacks.md

ChainSwap 1

• $800k
• July 2, 2021
• Vulnerability: Smart contract bug
• Note: Users reported lost funds, ChainSwap shut down all nodes and a fix was deployed within 30 minutes.
• Source: https://chain-swap.medium.com/chainswap-post-mortem-and-compensation-plan-90cad50898ab

ChainSwap 2

• $4.4M
• July 10, 2021
• Vulnerability: Smart contract bug
• Note: Funds lost
• Source: https://halborn.com/explained-the-chainswap-hack-july-2021/

Multichain 1 (Anyswap)

• $7.9M
• July 10, 2021
• Vulnerability: Repeated k-value caused compromised MPC keys
• Source: https://medium.com/multichainorg/anyswap-multichain-router-v3-exploit-statement-6833f1b7e6fb

Thorchain 1

• $5M
• July 16, 2021
• Vulnerability: Smart contract bug
• Source: https://thearchitect.notion.site/THORChain-Incident-07-15-7d205f91924e44a5b6499b6df5f6c210, https://halborn.com/explained-the-thorchain-hack-july-2021/

Thorchain 2

• $8M
• July 26, 2021
• Vulnerability: Smart contract bug
• Source: https://www.coindesk.com/markets/2021/07/23/blockchain-protocol-thorchain-suffers-8m-hack/

Poly Network

• $610M
• August 10, 2021
• Vulnerability: Smart contract bug
• Note: Tether froze $33 million worth of USDT, funds returned by hackers
• Source: https://blog.chainalysis.com/reports/poly-network-hack-august-2021/

Multichain 2

• $3M
• January 17, 2022
• Vulnerability: Smart contract bug
• Note: Approvals got drained
• Source: https://halborn.com/explained-the-multichain-hack-january-2022/

Wormhole

• $326M
• February 2, 2022
• Vulnerability: Smart contract bug
• Source: https://blog.chainalysis.com/reports/wormhole-hack-february-2022/

Li Finance

• $600k
• March 20, 2022
• Vulnerability: Smart contract bug
• Response: Discovered 12 hours later and then contracts paused
• Source: https://blog.li.fi/20th-march-the-exploit-e9e1c5c03eb9

Ronin

• $650M
• March 23, 2022
• Vulnerability: Compromised keys
• Note: Lazarus group, Unnoticed for 6 days!
• Source: https://roninblockchain.substack.com/p/back-to-building-ronin-security-breach

Harmony Horizon Bridge

• $100M
• June 24, 2022
• Vulnerability: Compromised keys
• Source: https://halborn.com/explained-the-harmony-horizon-bridge-hack/

Nomad

• $190M
• August 1, 2022
• Vulnerability: Smart contract bug
• Note: Whitehats rescued some funds
• Source: https://halborn.com/the-nomad-bridge-hack-a-deeper-dive/

BNB Chain Bridge

• $566M
• October 7, 2022
• Vulnerability: Improper Merkle tree validation
• Source: https://www.halborn.com/blog/post/explained-the-bnb-chain-hack-october-2022

Poly Network 2

• $10M
• July 1, 2023
• Vulnerability: Smart contract bug/signature validation
• Source: https://metisdao.medium.com/post-mortem-polynetworks-exploit-87614cd42396

Multichain 3

• $126M
• July 6, 2023
• Vulnerability: Compromised keys
• Source: https://www.halborn.com/blog/post/explained-the-multichain-hack-july-2023

Orbit

• $82M
• December 31st, 2023
• Vulnerability: Compromised keys or bug in signature validation (replay attack)
• Source: https://www.halborn.com/blog/post/explained-the-orbit-bridge-hack-december-2023

Socket/Bungee

• $3.3M
• January 16th, 2023
• Vulnerability: Smart contract bug - external call
• Note: Approvals got drained
• Source: https://twitter.com/spreekaway/status/1747337879771033632

ouch.

Socket/Bungee should be 2024, not 2023