Cointime

Cointime

Download App
iOS & Android

What Are Common Bridge Security Vulnerabilities?

This article is a community submission. The author is Minzhi He, an auditor at CertiK.

Views in this article are of the contributor/author and do not necessarily reflect those of Binance Academy.

TL;DR

Blockchain bridges are critical in achieving interoperability in the blockchain space. Hence, bridge security is of paramount importance. Some common bridge security vulnerabilities include weak on-chain and off-chain validation, improper handling of native tokens, and misconfigurations. Testing the bridge against all possible attack vectors is recommended to ensure sound verification logic.

Introduction

A blockchain bridge is a protocol connecting two blockchains to allow interactions between them. If you own bitcoin but want to participate in DeFi activity on the Ethereum network, a blockchain bridge enables you to do so without selling your bitcoin.

Blockchain bridges are fundamental to achieving interoperability within the blockchain space. They function using various on-chain and off-chain validations and therefore have different security vulnerabilities.

Why Is Bridge Security Critical?

A bridge usually holds the token a user wants to transfer from one chain to another. Often deployed as smart contracts, bridges hold a significant amount of tokens as the cross-chain transfers accumulate, making them lucrative targets for hackers.

In addition, blockchain bridges have a large attack surface as they involve many components. With that in mind, malicious actors are highly motivated to target cross-chain applications to drain large sums of funds.

Bridge attacks led to losses of over 1.3 billion USD in 2022, accounting for 36% of the year’s total losses, according to CertiK’s estimates.

Common Bridge Security Vulnerabilities

To enhance the security of bridges, it’s valuable to understand common bridge security vulnerabilities and test the bridges for them before launch. These vulnerabilities can be categorized into the following four areas.

Weak on-chain validation

For simple bridges, especially those designed for specific DApps, on-chain validation is kept to a minimum. These bridges rely on a centralized backend to execute basic operations like minting, burning, and token transfers while all verifications are performed off-chain.

In contrast, other types of bridges use smart contracts to validate messages and perform verifications on-chain. In this scenario, when a user deposits funds into a chain, the smart contract generates a signed message and returns the signature in the transaction. This signature serves as proof of the deposit and is used to verify the user's withdrawal request on the other chain. This process should be able to prevent various security attacks, including replay attacks and forged deposit records.

However, if there is a vulnerability during the on-chain validation process, the attacker can cause severe damage. For example, if a bridge uses Merkle tree to validate the transaction record, an attacker can generate forged proofs. This means they can bypass proof validation and mint new tokens to their account if the validation process is vulnerable.

Certain bridges implement the concept of “wrapped tokens.” For instance, when a user transfers DAI from Ethereum to BNB Chain, their DAI is taken from the Ethereum contract, and an equivalent amount of wrapped DAI is issued on the BNB Chain.

However, if this transaction isn’t properly validated, an attacker could deploy a malicious contract to route the wrapped tokens from the bridge to an incorrect address by manipulating the function.

The attackers also need victims to approve the bridge contract to transfer tokens using the function “transferFrom” to drain assets from the bridge contract.

Unfortunately, this is made worse because many bridges request infinite token approval from DApp users. This is a common practice that lowers gas fees but creates additional risks by allowing a smart contract to access an unlimited number of tokens from the user’s wallet. Attackers are able to exploit the lack of validation and excessive approval to transfer tokens from other users to themselves.

Weak off-chain validation

In some bridge systems, the off-chain backend server plays a critical role in verifying the legitimacy of messages sent from the blockchain. In this instance, we’re focusing on the verification of deposit transactions. 

A blockchain bridge with off-chain validation works as follows: 

  1. Users interact with the DApp to deposit tokens into the smart contract on the source chain.
  2. The DApp then sends the deposit transaction hash to the backend server via an API.
  3. The transaction hash is subject to several validations by the server. If deemed legitimate, a signer signs a message and sends the signature back to the user interface via the API.
  4. Upon receiving the signature, the DApp verifies it and permits the user to withdraw their tokens from the target chain.

The backend server must ensure that the deposit transaction it processes has actually occurred and was not forged. This backend server determines whether a user can withdraw tokens on the target chain and is, therefore, a high-value target for attackers.

The backend server needs to validate the structure of the transaction’s emitted event, as well as the contract address that emitted the event. If the latter is neglected, an attacker could deploy a malicious contract to forge a deposit event with the same structure as a legitimate deposit event. 

If the backend server does not verify which address emitted the event, it would consider this a valid transaction and sign the message. The attacker could then send the transaction hash to the backend, bypassing verification and allowing them to withdraw the tokens from the target chain.

Improper handling of native tokens

Bridges take different approaches toward handling native tokens and utility tokens. For example, on the Ethereum network, the native token is ETH and most utility tokens adhere to the ERC-20 standard.

When a user intends to transfer their ETH to another chain, they must first deposit it into the bridge contract. To achieve this, the user simply attaches the ETH to the transaction, and the amount of ETH can be retrieved by reading the “msg.value” field of the transaction.

Depositing ERC-20 tokens differs significantly from depositing ETH. To deposit an ERC-20 token, the user must first allow the bridge contract to spend their tokens. After they’ve approved this and deposited the tokens into the bridge contract, the contract will either burn the user's tokens using the "burnFrom()" function or transfer the user's token to the contract using the "transferFrom()" function.

One approach to differentiate this is to use an if-else statement within the same function. Another approach is to create two separate functions to handle each scenario. Attempting to deposit ETH using the ERC-20 deposit function can result in the loss of these funds.

When handling ERC-20 deposit requests, users usually provide the token address as input to the deposit function. This poses a significant risk as untrusted external calls can occur during the transaction. Implementing a whitelist that only includes the tokens supported by the bridge is a common practice to minimize risk. Only whitelisted addresses are allowed to be passed as arguments. This prevents external calls as the project team has already filtered the token address.

However, issues may also arise when bridges handle native token cross-chain transfer, as the native token does not have an address. A zero address (0x000...0) is representative of the native token. This can be problematic since passing the zero address to the function can bypass the whitelist verification even if implemented incorrectly.

When the bridge contract calls “transferFrom” to transfer user assets to the contract, the external call to the zero address returns false since there is no “transferFrom” function implemented in the zero address. However, the transaction may still occur if the contract does not handle the return value appropriately. This creates an opportunity for attackers to execute the transaction without transferring any tokens to the contract.

Misconfiguration

In most blockchain bridges, a privileged role is responsible for whitelisting or blacklisting tokens and addresses, assigning or changing signers, and other critical configurations. Ensuring that all configurations are accurate is crucial, as even seemingly trivial oversights can lead to significant losses.

In fact, there has been an incident where the attacker successfully bypassed the transfer record verification due to a misconfiguration. The project team implemented a protocol upgrade a few days before the hack, which involved changing a variable. The variable was used to represent the default value of the trusted message. This change resulted in all messages being automatically deemed proven, thus allowing an attacker to submit an arbitrary message and pass the verification process.

How To Improve Bridge Security

The four common bridge vulnerabilities explained above demonstrate the challenges to ensuring security in an interconnected blockchain ecosystem. There are significant considerations for handling each of these vulnerabilities, and no single playbook applies to all of them.

For example, providing general guidelines to ensure an error-free verification process is challenging since each bridge has unique verification requirements. The most effective approach to prevent verification bypass is to thoroughly test the bridge against all possible attack vectors and ensure the verification logic is sound.

To summarize, it’s essential to perform rigorous testing against potential attacks and pay special attention to the most common security vulnerabilities in bridges.

Closing Thoughts

Due to their high value, cross-chain bridges have long been a target for attackers. Builders can strengthen their bridges’ security by conducting thorough pre-deployment testing and engaging in third-party audits, reducing the risk of the devastating hacks that have plagued bridges over the last few years. Bridges are critical in a multi-chain world, but security must be a primary concern when designing and building an effective Web3 infrastructure.

Read more: https://academy.binance.com/en/articles/what-are-common-bridge-security-vulnerabilities

Cross-Chain
Comments

All Comments

Recommended for you

  • American Bitcoin's Bitcoin reserves have increased by approximately 623 BTC in the past 7 days, bringing its current holdings to 4941 BTC.

    Emmett Gallic, a blockchain analyst who previously disclosed and analyzed the "1011 insider whale," posted on the X platform revealing updated data on the Bitcoin reserves of American Bitcoin, a crypto mining company supported by the Trump family. In the past seven days, they increased their holdings by about 623 BTC, of which approximately 80 BTC came from mining income and 542 BTC from strategic acquisitions in the open market. Currently, their total Bitcoin holdings have risen to 4,941 BTC, with a current market value of about 450 million USD.

  • The US spot Ethereum ETF saw a net outflow of $19.4 million yesterday.

    according to TraderT monitoring, the US spot Ethereum ETF had a net outflow of 19.4 million USD yesterday.

  • Listed companies, governments, ETFs, and exchanges collectively hold 5.94 million Bitcoins, representing 29.8% of the circulating supply.

    Glassnode analyzed the holdings of major types of Bitcoin holders as follows: Listed companies: about 1.07 million bitcoins, government agencies: about 620,000 bitcoins, US spot ETFs: about 1.31 million bitcoins, exchanges: about 2.94 million bitcoins. These institutions collectively hold about 5.94 million bitcoins, accounting for approximately 29.8% of the circulating supply, highlighting the trend of liquidity increasingly concentrating in institutions and custodians.

  • The Bank of Japan is reportedly planning further interest rate hikes; some officials believe the neutral interest rate will be higher than 1%.

    according to insiders, Bank of Japan officials believe that before the current rate hike cycle ends, interest rates are likely to rise above 0.75%, indicating that there may be more rate hikes after next week's increase. These insiders said that officials believe that even if rates rise to 0.75%, the Bank of Japan has not yet reached the neutral interest rate level. Some officials already consider 1% to still be below the neutral interest rate level. Insiders stated that even if the Bank of Japan updates its neutral rate estimates based on the latest data, it currently does not believe that this range will significantly narrow. Currently, the Bank of Japan's estimate for the nominal neutral interest rate range is about 1% to 2.5%. Insiders said that Bank of Japan officials also believe there may be errors in the upper and lower limits of this range itself. (Golden Ten)

  • OKX: Platform users can earn up to 4.10% annualized return by holding USDG.

    According to the official announcement, from 00:00 on December 11, 2025 to 00:00 on January 11, 2026 (UTC+8), users holding USDG in their OKX funding, trading, and lending accounts can automatically earn an annualized yield of up to 4.10% provided by the OKX platform, with the ability to withdraw or use it at any time, allowing both trading and wealth management simultaneously. Users can check their earnings anytime through the OKX APP (version 6.136.10 and above) - Assets - by clicking on USDG. Moving forward, the platform will continue to expand the application of USDG in more trading and wealth management scenarios.

  • The Federal Reserve will begin its Reserve Management Purchase (RMP) program today, purchasing $40 billion in Treasury bonds per month.

     according to the Federal Reserve Open Market Committee's decision on December 10, the Federal Reserve will start implementing the Reserve Management Purchase (RMP) program from December 12, purchasing a total of $40 billion in short-term Treasury securities in the secondary market.

  • Bitcoin treasury company Strategy's daily transaction volume has now surpassed that of payment giant Visa.

    according to market sources: the daily trading volume of Bitcoin treasury company Strategy (MSTR) has now surpassed the payment giant Visa.

  • The US spot Bitcoin ETF saw a net outflow of $78.35 million yesterday.

    according to Trader T's monitoring, the US spot Bitcoin ETF had a net outflow of $78.35 million yesterday.

  • JPMorgan Chase issues Galaxy short-term bonds on Solana network

     JPMorgan arranged and created, distributed, and settled a short-term bond on the Solana blockchain for Galaxy Digital Holdings LP, as part of efforts to enhance financial market efficiency using underlying cryptocurrency technology.

  • HSBC expects the Federal Reserve to refrain from cutting interest rates for the next two years.

    HSBC Securities predicts the Federal Reserve will maintain interest rates stable at the 3.5%-3.75% range set on Wednesday for the next two years. Previously, Federal Reserve policymakers lowered rates by 25 basis points with a split vote. The institution's U.S. economist Ryan Wang pointed out in a report on December 10 that Federal Reserve Chairman Jerome Powell was "open to the question of whether and when to further cut rates at next year's FOMC press conference." "We believe the FOMC will keep the federal funds rate target range unchanged at 3.50%-3.75% throughout 2026 and 2027, but as the economy evolves, as in the past, it is always necessary to pay close attention to the significant two-way risks facing this outlook."

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company