Latest Defi Bridge Exploit Led To Meter’s Loss Of $4.4M

In a recent Defi bridge exploit, blockchain infrastructure business Meter.io has revealed that US$4.4 million was stolen in an assault on its network on February 6 and has subsequently warned users not to trade unbacked meterBNB circulating on the Moonriver parachain.

Community, unfortunately Meter Passport was hacked a few hours ago. Please do not trade the unbacked meterBNB that is circulating on Moonriver.

We have identified the issue: Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience.

— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022

This malicious assault where tokens were minted by a hacker using a smart contract vulnerability eventually led to a cascading effect over other DeFi networks.

The hack was executed around 6 am PST. The hacker used a loophole in the bridge to mint a considerable quantity of BNB and WETH tokens, which exhausted these reserves on the bridge, Meter Passport. Meter got aware of the depletion and suspended all bridge transactions. The hacker exploited a bug inserted onto the bridge by the Meter team. The team introduced a new bug that is able to wrap and unwrap BNB and ETH automatically. The code inferred trust erroneously, which let the hacker call the ERC20 deposit function to simulate transfers of BNB and ETH. This exploit disrupted the Meter and Moonriver networks.

Peckshield, a blockchain security firm, announced that the stolen funds include 1391.24945169 ETH and 2.74068396 BTC.

Meter warned users of the exploit

Meter went and out and warned users on Twitter immediately when they were aware of the exploit. They are also working on a reimbursement strategy to compensate the ones affected. “We are working on taking a snapshot from before the attack & will convert the original BNB & WETH to 1:1 their values in MTRG, the rest inflated BNB & WETH will be converted based on the hacker stolen value from the LP pools.” “We’ve set aside $4.4M of MTRG based on today’s price,” they added.

Meter also warned users to remove their liquidity involving WETH and BNB liquidity pool and wait for an additional announcement from the Meter team. They also urged to avoid trading in these pairs.

This recent attack on Meter was followed by one of the largest exploits that happened recently on the wormhole. Wormhole was hacked, and It has been estimated that $323 million worth of Ethereum (ETH) has been stolen. Meter also tweeted that they have upgraded their smart contracts, and passport is back online.