$4.4 Million Stolen From Crypto Firm: Multi-Bridge ExploitedThis Is the Third Such Crypto Theft Reported in Two Weeks
Meter, a blockchain infrastructure company that provides multi-chain bridging and allows users to trade multiple cryptocurrencies across Ethereum and other public chains, has been exploited for around $4.4 million, the company acknowledged via Twitter. The hack also affected the Moonriver network.
"Around 6am Pacific time we identified someone was able to leverage a vulnerability of the bridge to mint a large amount of BNB and WETH tokens and depleted the bridge reserve for BNB on WETH," the decentralized finance (DeFi) infrastructure provider tweeted on Saturday.
1. Around 6am Pacific time we identified someone was able to leverage a vulnerability of the bridge to mint a large amount of BNB and WETH tokens and depleted the bridge reserve for BNB on WETH.— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022
The highly decentralized DeFi space has a built-in, crypto-native, metastable currency - MTR. Meter uses HotStuff-based PoS consensus with MTRG - Meter Governance Token - to manage the blockchain ledger. Meter functions as a highly decentralized, high-performance side chain for Ethereum and other public chains, according to the company's website.
Growing Attack Surface
This is the third attack this month following the strike on the Wormhole network, a token bridge that allows users to trade multiple cryptocurrencies across the Ethereum and Solana blockchains, which were exploited for 120,000 ETH tokens ($321 million), and an attack at Qubit Finance, which runs on the Binance Smart Chain and was hacked for more than $80 million.
"The hack on meter.io has been estimated to be a loss of around $4.3 million, comprising $4.2 million in ETH and $83k worth of wBTC. The attacker has transferred much of their profits to Tornado Cash for laundering," according to blockchain security firm CertiK.
Meter says that all other tokens and their corresponding reserves are safe and that it has identified some early traces of the hacker and is working with authorities to catch the culprit.
"We urge the hacker to return the funds. Around $4.4m was lost," the company tweeted.
6. All the other tokens and their corresponding reserves are SAFU.— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022
7. We have identified some early traces of the hacker and are working with authorities. We urge the hacker to return the funds.
8. Around $4.4 million was lost.
A spokesperson for Meter was not immediately available to comment.
The incident comes just months after a massive DeFi attack in which a hacker - infamously dubbed "Mr. White Hat" - drained the Poly Network protocol of more than $600 million in cryptocurrency, before gradually returning the funds. Experts suggested at the time that the hacker likely had trouble laundering the funds. It remains the costliest crypto heist to date (see: Poly Network Says $600 Million in Cryptocurrency Stolen).
"The growing prevalence of bridge attacks raises concern about the fundamental security of existing multi-chain bridge infrastructure. And the magnitude of bridge exploits is often much higher than that of a single protocol, as bridges typically act as an escrow service across multiple chains," the CertiK spokersperson says.
The CertiK Incident Response team says that the meter.io bridge provides multi-chain bridging between ETH, BSC and Moonriver, and the attack happened on a bridge feature that is used to automatically wrap and unwrap ETH or BSC gas tokens.
"Preliminary analysis indicates that the attacker injected malicious code in a Bridge.deposit() function to take advantage of the Meter protocol's failure to block direct interaction with these gas tokens. Meter's code also omitted the verification that the correct number of wETH was transferred from the caller's address," a spokesperson for CertiK tells Information Security Media Group.
The company says that once it became aware of the incident, it stopped all bridge transactions immediately and started an investigation.
"Within 30 minutes we identified the issue to be a bug introduced in the automatic wrap and wrap of native tokens like BNB and ETH extended by the Meter team. The extended code had a wrong trust assumption which allowed the hacker to call the underlying ERC20 deposit function to fake a BNB or ETH transfer. The only impacted tokens were native gas tokens (WETH and BNB), and only Meter and Moonriver networks were impacted," the company tweeted.
Community, we really appreciate everyone's patience and support as we work to get back up and running after this morning's exploit.— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022
We have detailed everything in the below thread:
The firm says it is working on taking snapshots and designing a compensation plan for the Ethereum, or wETH, and Binance Coin, or BNB, holders and LP providers.
Wrapped Ethereum, or wETH, is an Ethereum Requests for Comments 20, or ERC-20, token - a common standard required to exchange ETH with other Ethereum-based tokens such as SOL, the native cryptocurrency of chain rival Solana, which is gaining traction in the non-fungible token, or NFT, and DeFi space.
"We urge all the liquidity providers that provide liquidity involving wETH and BNB to remove liquidity from the pool and wait for an additional announcement from the Meter team. Please try to avoid trading in these pairs as well. Pairs for other tokens are safe to trade," the company says.
A CertiK spokesperson says that the massive scale of the Wormhole bridge exploit was a wake-up call to the DeFi community and there is a need to see these concerns translated into meaningful action.
"As we move toward a more integrated cross-chain ecosystem, interoperability will only become more important. So too, however, will the reward for a successful exploit increase, as more and more funds are locked in cross-chain bridges," the CertiK spokesperson says.