Less than 24 hours ago we saw one of the biggest hacks in crypto history take place with $325 million worth of ETH stolen from the Wormhole bridge. Now, I wrote about the risks of using bridges the other day here, but this theft was done via a good old smart contract exploit so most of the things I talked about in my piece do not apply here (but are still relevant generally).
The key difference between a bridge exploit and a regular smart contract exploit is that bridges have massive downstream effects for the rest of the bridged-to chain. For example, because the ETH that was bridged to Solana from Ethereum via Wormhole became worthless at the time of the exploit (since all the ETH backing it was drained from the bridge contract), the rest of the Solana DeFi ecosystem was impacted. I havenāt been able to find any analysis on what exactly happened and to which apps, but some things that couldāve happened would be errant liquidations on money markets, liquidity pools with ETH in them being drained, and users holding the ETH losing out completely.
Itās important to note here that this type of exploit can also happen to layer 2 bridges because they too are smart contracts and are suscepitble to bugs. It doesnāt matter that the layer 2 bridge is secured by Ethereum layer 1 - just like it doesnāt matter when a DeFi contract is exploited on Ethereum - the result is still the same in the event of a bug. Itās also worth noting that there are other bridge constructions that can be susceptible to smart contract bugs, economic exploits, DoS attacks and more - these are the ones that we need to be especially cautious of as they are difficult to reason about.
Lastly, as users of these bridges itās critical that we all stay aware of the risks associated with them lest we become a victim of an exploit and lose funds. In Wormholes case, the ETH loss is being backstopped by some rich benefactors, but this will not be the case for most exploits. Iām afraid that a lot of money is going to be lost on these bridges over the coming years and really the only way to protect yourself completely is not to use them. But this is like saying that you shouldnāt use any smart contract - obviously thereās a risk spectrum and you need to just decide on what you feel comfortable with.
I donāt think this is the last bridge exploit/hack we will see and I donāt think itās the largest one either. As we progress through the adoption of multiple chains (layer 1ās, layer 2ās, sidechains - whatever), more and more value will be locked into bridge contracts and tey will become multi-billion dollar honeypots for attackers. The best thing we can hope for is that the developers of these bridges take security extremely seriously, put guardrails in place during the early days and warn users about the risks.
Have a great day everyone,
Anthony Sassano
Enjoyed todayās piece? I send out a fresh one every week day - be sure to subscribe to receive it in your inbox!
Join the Daily Gwei Ecosystem
All information presented above is for educational purposes only and should not be taken as investment advice.
Create your profile
Only paid subscribers can comment on this post
Check your email
For your security, we need to re-authenticate you.
Click the link we sent to , or click here to sign in.