While we are heads down building safe bridges, hackers sense an opportunity to find a chink in the armor. The sad reality is that while bridges are necessary for the multi-chain or cross-chain ecosystem we find ourselves in, they are also the weakest link. As a result, bridges have become prime targets for hackers, and unfortunately, 4 out of the top 10 biggest hacks in the history of DeFi are bridges:
-
Ronin Bridge ($624M) — hackers (attributed to the Lazarus group from North Korea) used social engineering techniques to run a phishing attack on the validators of Ronin bridge. They managed to gain control over 5/9 private keys of Ronin validators and drained the funds from the bridge contract.
-
Poly Network ($611M) — hackers found a loophole in the admin privileges of Poly Network’s smart contracts and forced the system to empty its wallet.
-
Wormhole ($326M) — the hackers exploited a security problem in the smart contract’s code and minted over 120k wETH.
-
Harmoney’s Horizon Bridge ($100M) — another social engineering attack where the hackers (Lazarus group) gained access to the private keys of validators and thus were able to authorize a false transaction.
According to the Rekt database, at least 80% of the lost assets in 2022 have been stolen from hacked bridges. Moreover, if you listen to giga brains like Arjun Bhuptani, the first $1B bridge hack is bound to happen.

But what if I told you that while we’ve already lost over a billion dollars in bridge hacks, things could have been far worse than they are today? It’s true! While bridges are honey pots for hackers, and multiple attempts have been made to hack different bridges, the attempts are not always successful, thanks to whitehat hackers (a whitehat hacker is an ethical security hacker).
Here are five instances where bridges have been saved by whitehats:
1. Wormhole — rewarded @satya0x $10 million for disclosing a critical bug in Wormhole’s core bridge contract on Ethereum on February 24, 2022. The bug was an upgradeable proxy implementation self-destruct bug linked to Wormhole’s ability to upgrade their smart contract. If the bug had been exploited, the hacker could have gained access to all the funds locked in Wormhole’s smart contracts.
Immunefi @immunefi Whitehat satya0x reported a critical vulnerability in @wormholecrypto on Feb 24 via Immunefi. The bug was quickly patched, no user funds were affected, and satya0x received a $10 million payout from Wormhole, the largest bounty payout on record.
Wormhole Uninitialized Proxy Bugfix ReviewSummarymedium.com
May 20th 2022
267 Retweets1,177 Likes
2. Polygon Plasma Bridge — rewarded Gerhard Wagner $2 million for finding a bug in the Polygon Plasma Bridge on October 5, 2021. The whitehat hacker prevented a potential $850M hack, as the discovered vulnerability would have allowed an attacker to “exit their burn transaction from the bridge multiple times, up to 223 times.”
Gerhard Wagner @g3rh4rdw4gn3r I just published a write up on the double spending bug I found in @0xPolygon's Plasma bridge gerhard-wagner.medium.com/double-spendin…and submitted through @immunefi
Double spending bug in Polygon’s Plasma bridgeI thought I was out of the security game for a while now and that my interests have moved on to other fields. Last week I came back from an…gerhard-wagner.medium.com
October 21st 2021
240 Retweets980 Likes
3. Optimism — rewarded Jay Freeman $2,000,042 for reporting a critical vulnerability in the Optimism protocol on February 2, 2022. The bug would have allowed an attacker to print an unlimited amount of ETH, exploiting a vulnerability found in OVM 2.0.
Note: Rollups like Optimism are considered the safest implementation of bridges as they leverage L1 for verifying the validity of state transitions for L2s using fraud proofs.
Optimism (✨🔴_🔴✨) @optimismFND We're very excited to announce the launch of the Optimism bug bounty program with @immunefi. Earn up to $2mm for critical bug discoveries! Full details of the program, including what’s in scope and specific guidelines can be found at
Immunefi @immunefi
NEW BIG BOUNTY: $2,000,0042 👀 @optimismPBC has just launched their bug bounty program on Immunefi! Optimism: Scaling Ethereum's present to provide funding for its future. Find bugs. Get yourself OVER $2 Million Dollars. https://t.co/A6g42ycVnu #defi #immunefi #optimism
January 13th 2022
45 Retweets113 Likes
4. Poly Network — hackers returned all of the user funds on Ethereum (except the $33 million in frozen USDT). They claimed to do the hack “for fun” because “cross-chain hacking is hot.” The Poly Network team offered a $500,000 reward, but the whitehat hacker did not accept it.
Poly Network @PolyNetwork2 #PolyNetwork has no intention of holding #mrwhitehat legally responsible and cordially invites him to be our Chief Security Advisor. $500,000 bounty is on the way. Whatever #mrwhitehat chooses to do with the bounty in the end, we have no objections.
Latest Updates(AUG 17)To everyone who remains concerned and has been keeping up with the progress on Poly Network,link.medium.com
August 17th 2021
107 Retweets475 Likes
5. Aurora’s Rainbow Bridge — rewarded pwning.eth with $6,000,000 for submitting a critical vulnerability in Aurora’s Rainbow bridge on April 26, 2022. The vulnerability consisted of an infinite loop spend bug, which could have led to an exploit of 70,000 ETH and $200M in other assets.
pwning.eth is now the proud holder of Immunefi’s Whitehat Hall Of Fame NFT for his work with Aurora’s vulnerability.
Yes, I right-click, save-d that NFT 🙃
While we’re talking about Rainbow Bridge, it’s important to mention the bridge watchdogs who stopped a different attack on Rainbow Bridge in its tracks. This was not precisely a whitehack event. But, in a world that calls itself decentralized, autonomous, and cryptographically secured, this is what it looks like for a "white hat" to act on-chain. The sad part, however, is that the MEV bot front-ran the watchdog to gain 2.5 ETH :/
To conclude, whitehat hackers play a pivotal role in the crypto ecosystem, and bridges (and other projects) should continuously run bug bounties to incentivize them and prevent exploits. If you’re a bridge builder, make your code open-sourced and accessible so it’s easier for whitehat hackers to review it.
Some ongoing bridge bug bounties on Immunefi include:
-
Wormhole – up to $10M
-
Multichain – up to $2M
-
Celer (cBridge) – up to $2M
-
Polygon – up to $2M
-
Arbitrum – up to $2M
-
Optimism – up to $2M
-
RenVM – up to $1M
-
Axelar – up to $1M
-
Nomad – up to $1M
-
Router Protocol – up to $200k
-
deBridge – up to $200k
-
Gravity Bridge – up to $200k
-
Connext – up to $100k