Just a few days following the Wormhole Portal hack that led to losses of more than $302 million, Meter’s Passport bridge has experienced a similar attack.
The hack on meter.io has been estimated to be “a loss of around $4.3 Million, comprising $4.2 million in ETH and $83k worth of wBTC,” according to an update from CertiK. The attacker has transferred “much of their profits to Tornado Cash for laundering,” the blockchain security firm revealed.
The CertiK Incident Response team (CIRT) noted that the meter.io bridge provides multi-chain bridging between ETH, BSC, and Moonriver, and the attack “happened on a bridge feature that is used to automatically wrap and unwrap ETH or BSC gas tokens.”
Preliminary analysis indicates that the attacker “injected malicious code in a Bridge.deposit() function to take advantage of the Meter protocol’s failure to block direct interaction with these gas tokens.” Meter’s code also “omitted the verification that the correct number of wETH was transferred from the caller’s address.”
The update from CertiK further revealed:
“This is the third exploit of a cross-chain bridge in less than two weeks, coming hot on the heels of Qubit Finance ($80 million) and Wormhole ($302 million). The growing prevalence of bridge attacks raises concern about the fundamental security of existing mutl-chain bridge infrastructure. And the magnitude of bridge exploits is often much higher than that of a single protocol, as bridges typically act as an escrow service across multiple chains.”
As mentioned in a blog post by CertiK, the massive scale of the Wormhole bridge exploit was a “wakeup call” to the DeFi community, though we need to “see these concerns translated into meaningful action.”
As we move towards a more integrated cross-chain ecosystem, interoperability will only “become more important,” according to CertiK. So too, however, will the reward for a “successful exploit” increase, as more and more funds are locked in cross-chain bridges, the team at CertiK noted.