Synapse Bridge prevents $8M USD hack

Published at: Nov. 9, 2021

Cross-chain protocols are continuing to face challenges, with Synapse Bridge narrowly averting a multi-million exploit.

On Nov. 7, Synapse Bridge announced on Discord they had prevented a hacker from draining approximately $8 million USD from the Avalanche Neutral Dollar (nUSD) Metapool.

The hacker attempted to exploit a vulnerability using the bridge to transfer assets from Polygon (MATIC) to Avalanche (AVAX). Synapse is a cross-chain bridge designed to facilitate swaps and transfers between a range of layer-one and layer-two protocols using an automated market maker (AMM).

Synapse Bridge stated: “Over the past 16 hours, we encountered and discovered a contract bug in the way that the AMM Metapool contracts handle virtual price calculations against the base pool's virtual price.”

As soon as Synapse’s validators became aware of AMM’s unusual activity, the protocol paused its support for all chains and went offline. By shutting down the network, validators were able to collectively elect to reverse the transaction before it could be confirmed. In this way, the funds will ultimately not be minted to the attackers’ address on the destination chain.

“The validators will instead mint the nUSD back to the affected Avalanche LPs. All Avalanche nUSD LPs will be made whole, with no funds lost,” stated Synapse Bridge. The funds from the rejected transaction will be used to reimburse the affected liquidity providers after the full audit of the exploit is completed.

Synapse Bridge has now deployed new nUSD pools, which are a standard stableswap pool of four assets rather than a metapool.

Related: THORChain concludes 2 security audits following summer exploits

“This is the safest route as the base stableswap contract (distinct from the Metapool contracts) has been thoroughly battle-tested by many different platforms,” wrote Aurelius.

Synapse Bridge says the network is now online and resuming normal activity. The user backlogs or pending transactions have also been processed. Synapse Bridge has notified Saddle, the developer of Metapool contracts. Saddle has now also paused its pool. Only those metapools from Saddle were affected by the exploit.

Tags
Related Posts
Poly Network hacker returns nearly all funds, refuses $500K white hat bounty
The hacker behind a $610 million attack on the cross-chain decentralized finance (DeFi) protocol Poly Network has returned almost all of the stolen funds amid the project saying their actions constituted “white hat behavior.” According to a Thursday update on the attack from Poly Network, all of the $610 million in funds taken in an exploit that used "a vulnerability between contract calls” have now been transferred to a multisig wallet controlled by the project and the hacker. The only remaining tokens are the roughly $33 million in Tether (USDT), which were frozen immediately following news of the attack. The …
Business / Aug. 12, 2021
Hackers stole at least $600M in Poly exploit across three chains
In what may be the largest attack in decentralized finance, or DeFi, unknown hackers used an exploit on cross-chain protocol Poly Network to remove at least $600 million from three chains. According to a Tuesday update on Twitter, Poly Network said the attacks had removed assets from Binance Chain, Ethereum and the Polygon network. Blockchain data from the respective networks shows the hackers stole roughly $273 million from Ethereum, $85 million in USD Coin (USDC) from the Polygon network, and $253 million from the Binance Smart Chain. Poly also reported renBTC, wrapped Bitcoin (WBTC), and wrapped Ether (WETH) were involved …
Business / Aug. 10, 2021
Poly Network hacker returns $258M, conducts AMA on how it went down
The Poly Network hacker has now returned $258 million to the cross-chain decentralized finance (DeFi) protocol and conducted a question-and-answer session detailing how the initial hack went down. In what is being described as the largest DeFi hack to date, the Poly Network suffered a $612-million exploit on Tuesday that saw the hacker steal assets from Ethereum, Binance Chain and the Polygon Network. Tom Robinson, the chief scientist at blockchain analytics firm Elliptic, told Forbes on Wednesday that the hacker has now returned roughly $258 million worth of funds to Poly so far — with $342 million yet to be …
Business / Aug. 12, 2021
Jump Crypto unveils critical vulnerability on Binance’s BNB Chain
Web3 infrastructure firm Jump Crypto has discovered a vulnerability in the Binance BNB Beacon Chain, which would allow the mint of an unlimited amount of arbitrary tokens. The issue was privately disclosed to the BNB team, enabling a patch to be developed and deployed within 24 hours. In a blog post from Feb. 10, Jump Crypto disclosed a detailed report about the vulnerability found two days earlier, which could "have led to a large loss of funds." As per the report, the BNB Chain is composed of two blockchains - the EVM compatible Smart Chain (BSC), which is based on …
Blockchain / Feb. 11, 2023
Coinbase discloses recent cyberattack targeting employees
Crypto exchange Coinbase experienced a cybersecurity attack targeting its employees on Feb. 5. The attack came through SMS scams and involved impersonations of IT staff, according to a recent report from the company's engineering team. No customers' funds or information were impacted, the firm said. As per the report, on a late Sunday several Coinbase employees received SMS messages requiring them to urgently log in via the link provided to access an important message. Acting in a good faith, one employee followed the exploiter' instructions: "While the majority ignore this unprompted message - one employee, believing that it’s an important …
Technology / Feb. 22, 2023