Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
Meter.io's cross-chain bridge was hacked, resulting in a loss of around $4.3 million ( 1391.24945169 ETH and 2.74068396 BTC). The hacker was able to exploit a vulnerability in the deposit function, which allowed them to fake BNB or ETH transfers. Meter.io announced that Meter Passport (a cross-chain bridge extension) automatically wraps and unwraps Gas Tokens (such as ETH and BNB) for user convenience. However, the contract did not prohibit the wrapped ERC20 Token from interacting directly with the native Gas Token, nor did it properly transfer and verify the correct amount of WETH transferred from the caller address. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 4,300,000.
- chain
- —
- protocol
- Meter.io
- bug_class
- logic
- date_occurred
- 2022-02-06
- loss_usd
- $4,300,000
- source_id
- sm:meter-io::2022-02-06