Hacker siphons $4.3 million from Meter cross-chain bridge

The infrastructure DeFi company Meter lost about $4.3 million in Bitcoin and Ethereum as a result of the breach.

The @Meter_IO is hacked with the loss of $~4.3M (including 1391.24945169 ETH + 2.74068396 BTC). The extension over the original (unaffected) ChainBridge introduces a false deposit issue !!! https://t.co/YShfXnEZzD pic.twitter.com/oY6bpau8DA

— PeckShield Inc. (@peckshield) February 6, 2022

According to PeckShield, the damage amounted to 1391 ETH and 2.74 BTC. Meter confirmed the hack.

Community, unfortunately Meter Passport was hacked a few hours ago. Please do not trade the unbacked meterBNB that is circulating on Moonriver.

We have identified the issue: Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience.

— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022

The attacker exploited a vulnerability in the automatic “unwrap” function for gas tokens in the protocol, such as ETH and BNB, the company explained.

“The contract did not block direct interaction of wrapped ERC-20 assets for the native gas token, did not properly transfer nor verify the correct amount of WETH sent from the caller address.”, — Meter team added.

Meter, based in Palo Alto, California, provides interchain interoperability for DeFi smart contracts.

The company said it has restored the operation of cross-chain bridge, updated the smart contracts and engaged a third-party auditor for the protocol’s code. To compensate the victims, the firm has reserved $4.4 million in MTRG tokens (based on current prices).

⚡First and foremost, we want to thank our entire community and each one of our partners for their incredible support over the last 48 hours as we navigated the exploit on our bridge.

We are happy to announce that we have upgraded our smart contracts and Passport is back online! pic.twitter.com/9b5OAoEPmH

— ⚡️Meter.io⚡️ (@Meter_IO) February 8, 2022

Earlier in February, hackers drained 120,000 WETH from the Wormhole pool on the Solana-based cross-chain protocol — worth over $319 million at the time of the breach.

In January, Ethereum founder Vitalik Buterin called cross-chain bridges vulnerable due to concerns about asset security.