Just days after the Wormhole Portal hack that resulted in losses of over $302 million, Meter’s Passport bridge has suffered a similar attack.
The hack on meter.io has been estimated to be a loss of around $4.3 Million, comprising $4.2 million in ETH and $83k worth of wBTC. The attacker has transferred much of their profits to Tornado Cash for laundering.
A visualization of the attacker’s address using Skytrace
According to the CertiK Incident Response team (CIRT), the meter.io bridge provides multi-chain bridging between ETH, BSC, and Moonriver, and the attack happened on a bridge feature that is used to automatically wrap and unwrap ETH or BSC gas tokens. Preliminary analysis indicates that the attacker injected malicious code in a Bridge.deposit() function to take advantage of the Meter protocol’s failure to block direct interaction with these gas tokens. Meter’s code also omitted the verification that the correct number of wETH was transferred from the caller’s address.
This is the third exploit of a cross-chain bridge in less than two weeks, coming hot on the heels of Qubit Finance ($80 million) and Wormhole ($302 million). The growing prevalence of bridge attacks raises concern about the fundamental security of existing mutl-chain bridge infrastructure. And the magnitude of bridge exploits is often much higher than that of a single protocol, as bridges typically act as an escrow service across multiple chains.
The massive scale of the Wormhole bridge exploit was a wakeup call to the DeFi community, though we need to see these concerns translated into meaningful action. As we move towards a more integrated cross-chain ecosystem, interoperability will only become more important. So too, however, will the reward for a successful exploit increase, as more and more funds are locked in cross-chain bridges.