Welcome to PYMNTS’ series on crypto crime. In it, we’ll be looking at the crimes that have not only been committed in the cryptocurrency industry but have defined it — especially bitcoin — in many people’s minds.
We’ll give you a look at the realities and the myths, the methods and tools and ways authorities and private-sector security companies starting to break through the mythical anonymity that many criminals — and honest people — believe shield their transactions.
Along the way, we’ll tell you some stories to illustrate. Some will be funny, some will be whimsical, some will be sad, and a few will be horrifying. A whole lot of them will be hard to believe. But they’ll all be true — or at least what Watergate journalist Bob Woodward called “the best obtainable version of the truth.”
Read more:
PYMNTS Crypto Crime Series: When Privacy Counts, Crypto Users Turn to Mixing Services
PYMNTS Crypto Crime Series: In India Hacking Case, Bitcoin Trail Leads to Hamas
PYMNTS Crypto Crime Series: The Tale of QuadrigaCX, Canada’s Longest Crypto Ponzi Scheme
PYMNTS Crypto Crime Series: Another Day, Another Nine-Figure Crypto Hack
At $4.4 million, the latest cryptocurrency hack was so small it’s hardly worth reporting, except for one thing: It’s another cryptocurrency bridge protocol, and that’s a problem $1 billion big.
Bridges have an increasingly important niche in the cryptocurrency payments ecosystem, notably decentralized finance (DeFi). And they’re in jeopardy.
In just the past two weeks, three bridge protocols have been hacked, with the thieves making off with some $425 million. Add in the $612 million hack of Poly Network last August, and you’re well over $1 billion (despite the fact that the Poly hacker gave it all back).
So, what? Well, as cryptocurrency projects spread beyond the dominant decentralized application (DApp) platform Ethereum to a growing number of competitive blockchains, everything from metaverses and nonfungible token (NFT) markets to lending platforms are finding themselves siloed in blockchains that cannot talk to each other directly.
That’s where bridge protocols come in. They carry out a vital function, letting crypto owners trade both data and cryptocurrencies between blockchains directly, without the time and expense of going through an exchange.
Generally, the way they work is that you take crypto funds in one currency — say Solana’s SOL tokens — and deposit it in a bridge protocol, which in turn gives you tokens usable on another blockchain, Ethereum for example.
See also: What Is Solana?
But like any institution to which people are asked to entrust their money, faith is key. Bridges are going strong now, but if they come to be seen as vulnerable, users may decide to run.
Bridges are getting more ambitious, however. The Polkadot blockchain bridge lets users automate the exchange process and add data to the transaction. So, you could take tokens on any of the 100 sub-blockchains it will eventually host and send them directly to a DeFi lending/borrowing program, for example, on another with instructions to invest it in a specific lending pool to earn interest.
Read more: The Most Ambitious of the ‘Ethereum Killers,’ Polkadot’s Launch Could Begin the Reinvention of DeFi
It’s not just a more convenient transaction process; it could effectively turn the siloed crypto blockchain universe into a single ecosystem. That’s a big goal in the industry.
What’s Going Wrong?
We’ll look at the three recent hacks, Wormhole’s $325 million theft Jan. 27, Qubit’s $80 million loss Feb. 8, and the $4.4 million attack on Meter Passport Feb. 5.
And we’ll refer you to the more in-depth stories linked below for the curious case of the Poly Network’s hack that wasn’t, and the tragic case of Wormhole’s $325 million hack that was.
Read more: The $612 Million Heist That Wasn’t
See also: Another Day, Another Nine-Figure Crypto Hack
But what you’ll see in common is two big exploitable problems with bridge protocols generally.
First, the senders’ tokens must typically be locked into the protocol directly, meaning they are effectively kept in an online, and therefore, vulnerable “hot wallet.”
Read also: What’s a Crypto Wallet and How You Can Avoid Losing a Quarter Billion Dollars?
Second, they generally accomplish the cross-chain cryptocurrency swap by minting what are called “wrapped” versions of the receiving blockchain’s tokens. That leaves a very big problem if a hacker can mint wrapped tokens and immediately redeem them for TKTK, which can be quickly sent off to private wallets and coin mixing services.
See also: When Privacy Counts, Crypto Users Turn to Mixing Services
What’s noteworthy is that when bridge protocols are ripped off, it’s not the crypto exchange or DApp development company that loses — and often absorbs or makes good the losses — it’s thousands of individual bridge users who are generally on their own.
However, Jump Crypto, the venture capital firm backing Wormhole “replenished” its coffers with $320 million in ether — effectively keeping its investment from going belly-up — to be repaid over time.
What Happened?
On Jan. 27, Binance Smart Chain (BSC)-based Qubit’s QBridge protocol was hacked by someone who exploited a flaw to convince the DApp’s smart contracts to mint 77,000 of its wrapped ether token, qXETH, worth $185 million, without actually depositing any funds. The thieves then redeemed those wrapped ether tokens for 207,000 of BSC’s Binance Coin (BNB) token, worth $80 million before deciding to take the money and run. Both developer and thousands of users were wiped out.
On Feb. 11, the development team behind Qubit, Mound, announced that it could no longer afford to pay for further work on Qubit or another protocol, Bunny Finance, and would convert the centralized projects into DeFi protocols governed by a decentralized autonomous organization (DAO) — effectively walking away empty handed.
Read also: Unpacking DeFi and DAO
The $4.4 million hack of bridge Meter Passport started when bad actors used an exploit to mint wrapped ether (wETH) and BNB tokens.
It got worse from there, as the attacker immediately sold the BNB on SushiSwap, a top DeFi exchange. That in turn caused a localized price crash on BNB, which was noticed, leading people to buy the coin cheaply and then use it to take out loans on the Hundred Finance lending platform, which accepted them at the normal value, and trade them for other unaffected tokens. As the “hot” BNB had to be returned, the loans were left uncollateralized, costing the lenders millions.
Meter has set aside $4.4 million of its native MTGR tokens to repay its users and Hundred Finance.
The Wormhole hack also caused the Solana-to-Ethereum bridge to create wrapped tokens and redeem them for real ether. In that case, the VC behind Wormhole made good the losses.
Finally, back in August, a hacker found a vulnerability that let him transfer all of the $612 million in cryptocurrency stored by people who had used it as collateral to buy wrapped tokens into his own wallet. Amazingly, the hacker, nicknamed “Mr. White Hat” by Poly Networks, gave it all back over a few weeks.
That leads to the question: Should you trust a crypto bridge?