EVM Attack Pattern April 10, 2025 10 min read

Bridge Message Manipulation

How attackers forge, replay, or bypass cross-chain bridge messages to mint unauthorized assets — responsible for over $1.2 billion in losses across the bridge ecosystem.

evmcriticalbridgecross-chainmessage-forgeryattack-patternred-team

Overview

Cross-chain bridges are among the highest-value targets in DeFi. They hold vast pools of locked assets on one chain while minting synthetic representations on another, making them single points of failure worth hundreds of millions of dollars. Since 2022, bridge message manipulation attacks have caused over $1.28 billion in confirmed losses — more than any other attack class in smart contract security.

The fundamental problem is verification: a bridge must confirm that a deposit on Chain A actually occurred before minting assets on Chain B. This verification spans two independent consensus systems with no shared state. Attackers exploit weaknesses in how bridges construct, transport, and verify cross-chain messages — forging Merkle proofs, replaying signatures across chains, or bypassing validation logic that was never properly initialized.

These attacks are catastrophic because they allow attackers to mint unbacked assets at will. Unlike flash loan exploits or oracle manipulation, bridge exploits create tokens from nothing, inflating supply and potentially destabilizing entire ecosystems.

How This Attack Works

Attack Surface

Every cross-chain bridge has three critical verification points. A failure at any one of them can be exploited to forge messages and mint unauthorized assets.

Message construction — How the deposit event on the source chain is packaged into a verifiable message. Weaknesses here include missing chain IDs, absent nonces, or incomplete hashing of critical fields.
Message transport — How the message crosses from one chain to another. Bridges rely on validators, relayers, or light clients to ferry messages. Compromising the transport layer — whether through key theft, insufficient validator thresholds, or relayer manipulation — allows attackers to inject forged messages directly.
Message verification — How the destination chain validates that the message is authentic. This is where the majority of bridge exploits occur. Incomplete Merkle proof checks, uninitialized state variables, and bypassable signature verification have all led to catastrophic losses.

Common Attack Vectors

Merkle Proof Bypass — Craft fake inclusion proofs that pass incomplete verification logic. If the bridge does not fully validate the Merkle tree structure or accepts proofs against an uninitialized root, an attacker can fabricate arbitrary deposit claims.

Signature Replay — Reuse valid validator signatures from one chain on another. When the signed message does not include a chain identifier, a legitimate signature on Ethereum can be replayed on BSC or any other chain the bridge supports, minting assets without a corresponding deposit.

Uninitialized Validation State — Exploit default or zero values in verification state variables. Solidity storage defaults to zero, so a trustedRoot that was never explicitly set will be bytes32(0). Any message constructed with a zero root will pass verification automatically.

Validator Key Compromise — If a bridge uses a multisig or validator set to attest to messages, compromising enough keys to meet the signing threshold allows forging arbitrary messages. Low thresholds (such as 2 of 5) make this attack practical.

Attack Flow

sequenceDiagram
    participant ChainA as Chain A (Source)
    participant Bridge as Bridge Protocol
    participant ChainB as Chain B (Destination)
    participant Attacker as Attacker

    ChainA->>Bridge: Legitimate deposit → generates message
    Note over Bridge: Message includes proof, signatures, metadata

    Attacker->>Bridge: Inject forged message
    Note over Attacker: Fake proof / replayed signature / zero root

    Bridge->>ChainB: Forward message for verification
    ChainB->>ChainB: Verify message (BYPASSED)
    ChainB->>Attacker: Mint assets to attacker
    Note over Attacker: No real deposit ever occurred on Chain A

Historical Exploits

BNB Bridge — $586M (October 2022)

Contract: 0xa045e37a0d1dd3a45fefb8803d22457abc0a728a
Technique: Merkle proof bypass
Root cause: Missing validation in IAVL tree proof verification

The BNB Bridge used an IAVL Merkle tree to verify withdrawal proofs from the Beacon Chain. The verification logic had a critical flaw: it did not fully validate the structure of the proof, allowing the attacker to craft a fake proof that the verifier accepted as legitimate.

The attacker constructed a forged IAVL proof claiming a withdrawal of 2 million BNB. The bridge’s on-chain verifier processed the proof, found it syntactically valid, and approved the withdrawal. The attacker received 2M BNB (worth $586M at the time), then rapidly swapped to stablecoins and bridged assets to other chains to make recovery impossible.

The BNB Chain was halted for approximately 7 hours while validators coordinated an emergency upgrade to patch the verification logic. This remains the largest bridge exploit to date.

Wormhole — $325M (February 2022)

Contract: 0x98f3c9e6e3face36baad05fe09d375ef1464288b
Technique: Signature verification bypass
Root cause: Solana program load_current_index() bug — uninitialized guardian set index

Wormhole is a cross-chain messaging protocol that relies on a set of “guardians” to attest to messages. The vulnerability existed on the Solana side of the bridge, where the guardian signature verification could be bypassed entirely.

The Solana program used load_current_index() to iterate over guardian signatures. When the index was uninitialized (zero), the verification loop skipped that guardian entirely rather than rejecting the message. The attacker exploited this to create fake guardian signatures that the verifier never actually checked.

// Vulnerable Solana-side signature check (simplified)
if load_current_index(i) == 0 {
    // BUG: Skipped verification for uninitialized indices!
    continue;
}

By submitting a message with carefully constructed guardian data, the attacker bypassed signature verification on Solana and minted 120,000 wETH ($325M). The wETH was then bridged to Ethereum and partially converted to ETH. Jump Crypto, Wormhole’s parent company, provided $325M to restore the bridge’s backing. The attacker retained the funds.

Nomad Bridge — $190M (August 2022)

Contract: 0xd90e2f925da726b50c4ed8d0fb90ad053324f31b
Technique: Uninitialized trusted root (0x0)
Root cause: trustedRoot storage variable defaulted to bytes32(0), and any message with a 0x0 root automatically passed verification

This exploit is notable for its simplicity and for becoming a mass participation event. The Nomad bridge used a trustedRoot variable to verify incoming messages against a known-good Merkle root. During a routine upgrade, the implementation was redeployed without initializing this variable, leaving it at the Solidity default of bytes32(0).

contract Replica {
    bytes32 public trustedRoot; // Defaults to 0x0!

    function process(bytes32 root, bytes memory message) external {
        require(root == trustedRoot, "Invalid root");
        // Any message with root=0x0 passes!
        _processMessage(message);
    }
}

The initial attacker discovered that submitting any message with root = 0x0 would pass the verification check. After the first exploit transaction appeared on-chain, over 300 copycats reverse-engineered the attack by simply replacing the recipient address in the original transaction’s calldata and resubmitting. The exploit became a feeding frenzy, with the bridge drained of $190M within hours.

Qubit Bridge — $80M (January 2022)

Technique: Signature replay across chains
Root cause: Missing chain ID in signature verification

The Qubit Bridge allowed users to deposit assets on Ethereum and receive wrapped tokens on BSC. The bridge’s signature verification hashed the deposit amount and token address but critically omitted the chain ID from the signed message.

// Missing chain ID in signature hash
bytes32 hash = keccak256(abi.encodePacked(
    amount,
    token
    // BUG: Missing block.chainid!
));

The attacker deposited a small amount of ETH on Ethereum, obtained a valid validator signature for that deposit, and then replayed the same signature on BSC. Because the chain ID was not included in the hash, the BSC-side verifier accepted the Ethereum signature as proof of a BSC deposit. The attacker repeated this process to mint $80M in qXETH without corresponding collateral on Ethereum.

Harmony Bridge — $100M (June 2022)

Root cause: 2 of 5 validator threshold (40% — far too low)

The Harmony Horizon Bridge used a multisig with only 5 validators, requiring just 2 signatures to approve a withdrawal. This meant compromising only 2 private keys was sufficient to drain the entire bridge.

The attacker compromised 2 of the 5 validator keys (the exact method of compromise has not been publicly disclosed, though social engineering and operational security failures are suspected). With 2 valid signatures, the attacker submitted withdrawal transactions that met the 2-of-5 threshold, draining approximately $100M in assets from the bridge.

This exploit demonstrated that even correctly implemented cryptographic verification is worthless if the trust assumptions are too weak. A 40% threshold provides no meaningful security against a targeted attack.

Detection Patterns

When auditing bridge contracts, the following patterns indicate potential message manipulation vulnerabilities:

Missing chain ID in cross-chain message hashes — Any signed or hashed message that does not include block.chainid or an equivalent chain identifier is vulnerable to cross-chain replay.
Uninitialized validation roots or state — Storage variables used for proof verification (Merkle roots, guardian sets, validator registries) that are not explicitly initialized during deployment or upgrade. Look for bytes32 state variables that could default to 0x0.
Low validator thresholds — Multisig or validator set configurations requiring less than 67% of signers. Thresholds below 2/3 make key compromise attacks practical.
Missing nonce or replay protection — Messages that can be submitted multiple times without a nonce, sequence number, or spent-message mapping. Lack of replay protection allows valid messages to be reused.
Incomplete Merkle proof validation — Proof verification that does not validate tree depth, does not reject zero-valued roots, or does not fully reconstruct the path from leaf to root.
Signature verification bypassable with default values — Verification loops that skip indices when encountering zero or uninitialized values instead of rejecting the entire message.

Mitigation Strategies

1. Include Chain ID in All Messages

Every cross-chain message must bind to a specific source chain, destination chain, and nonce. Omitting any of these fields opens the door to replay attacks.

function createMessage(
    uint256 amount,
    address token,
    address recipient
) internal view returns (bytes32) {
    return keccak256(abi.encodePacked(
        block.chainid,     // Prevent cross-chain replay
        nonces[msg.sender]++, // Prevent same-chain replay
        amount,
        token,
        recipient,
        block.timestamp    // Expiry reference
    ));
}

2. Robust Proof Verification

Merkle proof verification must reject uninitialized roots, enforce maximum proof depth, and fully reconstruct the path from leaf to root. Never trust a proof against a zero-valued root.

function verifyMerkleProof(
    bytes32[] memory proof,
    bytes32 root,
    bytes32 leaf
) internal pure returns (bool) {
    require(root != bytes32(0), "Uninitialized root");
    require(proof.length > 0, "Empty proof");
    require(proof.length <= MAX_PROOF_DEPTH, "Proof too deep");

    bytes32 computedHash = leaf;
    for (uint256 i = 0; i < proof.length; i++) {
        computedHash = computedHash < proof[i]
            ? keccak256(abi.encodePacked(computedHash, proof[i]))
            : keccak256(abi.encodePacked(proof[i], computedHash));
    }
    return computedHash == root;
}

3. Strong Validator Thresholds

Validator sets must require a supermajority to approve messages. Low thresholds turn key compromise from a theoretical risk into a practical one.

Recommended thresholds:
- Minimum: 67% (2/3 + 1)
- Recommended: 75% for high-value bridges
- Use HSMs for all validator keys
- Geographic distribution of key holders
- Regular key rotation schedule
- Rate limiting on minting/withdrawals

4. Message Expiry and Rate Limiting

Even with correct verification, bridges should enforce time bounds and volume caps to limit the blast radius of any single exploit.

uint256 public constant MESSAGE_EXPIRY = 1 hours;
uint256 public constant MAX_MINT_PER_HOUR = 10_000_000e18;

mapping(uint256 => uint256) public hourlyMinted;

function processMessage(bytes memory message, uint256 timestamp) external {
    require(block.timestamp - timestamp < MESSAGE_EXPIRY, "Message expired");

    uint256 hour = block.timestamp / 1 hours;
    hourlyMinted[hour] += amount;
    require(hourlyMinted[hour] <= MAX_MINT_PER_HOUR, "Rate limit exceeded");

    _mint(recipient, amount);
}