Cross-chain bridges project attacked, losses as high as 80 million USD

At the beginning of the New Year 2024, a major security incident shocked the cryptocurrency world. A certain cross-chain bridges platform suffered a hacker attack, with losses amounting to approximately $80 million. According to a security risk monitoring platform, the attackers had already begun small-scale probing attacks a day earlier and used the stolen ETH to provide transaction fee support for the subsequent large-scale attack.

This cross-chain bridge project allows users to transfer crypto assets between different blockchain networks. Currently, the project team has suspended the operation of the cross-chain bridge contract and is attempting to communicate with the attacker.

Event Analysis

The attack was primarily carried out by directly calling the withdraw function of the cross-chain bridges contract to transfer assets. Further analysis revealed that this function uses a signature verification mechanism to ensure the legitimacy of the withdrawal operation.

In blockchain transactions, signature verification is a common security measure used to confirm the identity and authority of the transaction initiator. The withdraw function ensures that only authorized parties can successfully invoke and transfer assets by verifying the signature.

The signature verification function will return the number of signatures from the owner, which is crucial for validating the legitimacy of the transaction. The system will compare the returned number of signatures with a preset threshold to determine whether to execute the transaction.

According to on-chain data, there are a total of 10 administrator addresses for this contract, with a required value of 7, meaning that 70% of the administrators must sign off in order to withdraw assets.

In summary, this incident is likely caused by the server storing the administrator's private key being subjected to a phishing attack.

Attack Process

On-chain data shows that the attacker began launching small-scale attacks on the project on December 30, 2023, and distributed the stolen small amount of ETH to other attack addresses as transaction fees.

Subsequently, on the evening of December 31, multiple attack addresses launched large-scale attacks on assets such as DAI, WBTC, ETH, USDC, and USDT in the project.

Capital Flow

As of the report date, the stolen funds have been transferred to five different addresses. The attackers moved approximately $50 million in stablecoins (including $30 million in Tether, $10 million in DAI, and $10 million in USDC), 231 wBTC (worth about $10 million), and 9,500 ETH (worth about $21.5 million) to new wallet addresses through five separate transactions.

Security Insights

This incident once again highlights the importance of security in blockchain systems. When designing and implementing blockchain projects, we should always prioritize security.

First, the security of the contract code is crucial. As the core of the blockchain system, the contract code should strictly follow best practices and security standards during writing and review to avoid common security vulnerabilities.

Secondly, an effective identity verification and access management mechanism is indispensable. By adopting a robust authentication system, multi-signature, and strict access control, unauthorized access and asset loss can be effectively prevented, ensuring that only authorized entities can perform sensitive operations.