Third hack in less than two weeks for cross-chain bridges. This time, it’s Meter Passport, Meter’s bridge, which has been exploited to the tune of 4.3 million dollars following a flaw in its code. This also caused a depreciation in the value of the NBB on Moonriver, allowing users to make cheaper loans.
Meter’s bridge hacked
Meter Passport, the bridge of sidechain Meter, suffered a $4.3 million hack on Feb. 5 around 3pm. The exploit involves the Moonriver smart contract, which is based on Kusama, the Polkadot blockchain testnet.
Community, we really appreciate everyone’s patience and support as we work to get back up and running after this morning’s exploit.
We have detailed everything in the below thread:
– ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022
According to the technical report of the attack by Certik, a company specialising in blockchain security, the hacker stole more than $4.2 million in ETH and $83,000 in wBTC (wrapped bitcoin).
He allegedly managed to introduce malicious code into a bridge deposit function, making it look like he had deposited wETH (wrapped Ether), before using it to mint BNB and wETH tokens for resale on SushiSwap.
In order to cover his tracks, the hacker then sent his loot on Tornado Cash, a protocol that allows mixing tokens to make them untraceable.
NBB depreciation on Moonriver
But the problem unfortunately doesn’t stop with the hack itself. The hacker having resold his stolen BNBs on the SushiSwap exchange, this caused the price of the token to crash by 77% on Moonriver.
As a result, users took advantage of the situation to buy NBBs at a lower price on the Hundred Finance protocol and then use them as collateral to borrow MIMs, FRAXs or ETHs.
The Hundred Finance team has publicly requested that those who took advantage of the breach return their funds so as not to penalise the entire community.
2/4. Accounts were able to purchase BNB.bsc at a reduced price and use these tokens as collateral at the global Chainlink price to borrow uncompromised assets on our platform. Of these, MIM and FRAX are currently impacted.
– Hundred Finance (@HundredFinance) February 6, 2022
At the time of writing, ETH loans have been returned in full. However, the platform is still seeing a $3.3 million shortfall.
However, Meter has acknowledged that it is responsible for the situation and is committed to repaying Hundred Finance:
Meter has of course accepted responsibility for the hack and intends to use its native token [MTRG] for reimbursement where possible. We are currently collecting the various addresses and the corresponding amount for each.” – Vfat, the founder of Hundred Finance, in a statement to Rekt News.
Cross-chain bridges in trouble
Despite this blow, Meter was able to react quickly and announced that it had made up for the shortfall caused by the hack by reinjecting BNB and wETH tokens into its own platform in order to restore the original 1:1 ratio.
However, this is the third bridge hack in the space of two weeks, and more importantly, it involves three very similar processes. Indeed, as we reported on 28 January, Qubit Finance’s bridge had suffered an $80 million exploit.
Less than a week later, it was the turn of the Wormhole protocol to be robbed of $320 million in the form of wETH, thus constituting one of the largest attacks ever observed in the world of decentralised finance.
The year 2022 is therefore off to a rather painful start for cross-chain bridges, which will probably have to redouble their efforts to (re)gain the trust of users.
