Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SoK: A Review of Cross-Chain Bridge Hacks in 2023

Nikita Belenkov, Valerian Callens, Alexandr Murashkin, Kacper Bak, Martin Derka, Jan Gorzny, Sung-Shine Lee

TL;DR

Cross-chain bridges enable asset transfers across blockchains but introduce new attack surfaces that have caused substantial losses. The paper analyzes hacks from 2022–2023, focusing on custodian and communicator weaknesses, and classifies incidents into concrete vectors. It provides detailed real‑world case studies (e.g., Binance, Nomad, Qubit, Wintermute, Harmony Horizon, Ronin, and Celer) and outlines targeted mitigations and design principles. The study underscores the need for standardized security practices and lifecycle governance to improve resilience and trust in cross‑chain interoperability.

Abstract

Blockchain technology has revolutionized industries by enabling secure and decentralized transactions. However, the isolated nature of blockchain ecosystems hinders the seamless transfer of digital assets across different chains. Cross-chain bridges have emerged as vital web3 infrastructure to address this challenge by facilitating interoperability between distinct blockchains. Cross-chain bridges remain vulnerable to various attacks despite sophisticated designs and security measures. The industry has experienced a surge in bridge attacks, resulting in significant financial losses. The largest hack impacted Axie Infinity Ronin Bridge, with a loss of almost \$600 million USD. This paper analyzes recent cross-chain bridge hacks in 2022 and 2023 and examines the exploited vulnerabilities. By understanding the attack nature and underlying weaknesses, the paper aims to enhance bridge security and propose potential countermeasures. The findings contribute to developing industry-wide standards for bridge security and operational resilience. Addressing the vulnerabilities and weaknesses exploited in recent cross-chain bridge hacks fosters trust and confidence in cross-chain interoperability.

SoK: A Review of Cross-Chain Bridge Hacks in 2023

TL;DR

Cross-chain bridges enable asset transfers across blockchains but introduce new attack surfaces that have caused substantial losses. The paper analyzes hacks from 2022–2023, focusing on custodian and communicator weaknesses, and classifies incidents into concrete vectors. It provides detailed real‑world case studies (e.g., Binance, Nomad, Qubit, Wintermute, Harmony Horizon, Ronin, and Celer) and outlines targeted mitigations and design principles. The study underscores the need for standardized security practices and lifecycle governance to improve resilience and trust in cross‑chain interoperability.

Abstract

Blockchain technology has revolutionized industries by enabling secure and decentralized transactions. However, the isolated nature of blockchain ecosystems hinders the seamless transfer of digital assets across different chains. Cross-chain bridges have emerged as vital web3 infrastructure to address this challenge by facilitating interoperability between distinct blockchains. Cross-chain bridges remain vulnerable to various attacks despite sophisticated designs and security measures. The industry has experienced a surge in bridge attacks, resulting in significant financial losses. The largest hack impacted Axie Infinity Ronin Bridge, with a loss of almost \$600 million USD. This paper analyzes recent cross-chain bridge hacks in 2022 and 2023 and examines the exploited vulnerabilities. By understanding the attack nature and underlying weaknesses, the paper aims to enhance bridge security and propose potential countermeasures. The findings contribute to developing industry-wide standards for bridge security and operational resilience. Addressing the vulnerabilities and weaknesses exploited in recent cross-chain bridge hacks fosters trust and confidence in cross-chain interoperability.
Paper Structure (27 sections, 10 figures)

This paper contains 27 sections, 10 figures.

Table of Contents

  1. Introduction
  2. Bridge Architecture
  3. Trusted bridges
  4. Trustless bridges
  5. Custodian Attacks
  6. Incorrect Merkle proof validation and proof manipulation
  7. Real World Example
  8. Solution
  9. Missing input validation in the legacy codebase
  10. Real World Example
  11. Solution
  12. Real World Example
  13. Solution
  14. Compromised private keys
  15. Real World Example
  16. ...and 12 more sections

Figures (10)

  • Figure 1: Cross-chain transfer from a source chain (Ethereum) to a destination chain (Another Chain). The digital asset is deposited (ETH) into the custodian contract, which triggers a reaction by the Communicator that will interact with the debt issuer contract to mint debt tokens (acETH) in favor of the cross-chain transfer recipient.
  • Figure 2: Cross-chain transfer from a source chain (Another Chain) to a destination chain (Ethereum). The debt tokens (acETH) are burned in the debt issuer contract, which triggers a reaction by the communicator that will interact with the custodian contract to unlock the digital asset (ETH) in favor of the cross-chain transfer recipient.
  • Figure 3: Overview of the normal interaction with the bridge using Merkle proofs.
  • Figure 4: An example of a Merkle Tree. The leaf nodes are A, B, C, and D, and the parent node of A and B has the value of the hash of A and B, noted H(A,B). Hence the root of the tree is the hash of its two child nodes, meaning H(H(A,B), H(C,D)).
  • Figure 5: Overview of the attack of the Binance Bridge.
  • ...and 5 more figures