Threshold Network's L2WormholeGateway contract contained a critical vulnerability allowing attackers to mint unlimited canonical L2 tBTC by exploiting the depositWormholeTbtc function through reentrancy via a malicious ERC20 token's transfer callback. The vulnerability was discovered via Immunefi bug bounty, patched by removing the vulnerable function and adding reentrancy protection, with no funds lost.
Security researcher discovered two critical bugs in Cronos Gravity Bridge: (1) an incorrect ERC-20 deploy event check causing nonce mismatch that halts cross-chain transfers from Ethereum to Cronos, and (2) a malicious token that can disable the entire bridge. The vulnerabilities stem from inadequate validation in the MsgSubmitEthereumEvent handler and token supply checks.
A critical vulnerability in Axelar Network allowed attackers to force validators to miss votes by crafting transactions with excessive logs that exceed Tendermint's 1MB RPC request limit, leading to automatic Chain Maintainer deregistration and potential halt of cross-chain operations. The vulnerability has been patched via governance proposal 256 disabling the auto-deregistration mechanism.
A high-severity vulnerability was discovered in Across V3 cross-chain bridge that allows malicious relayers to steal the full value of certain transactions from users by exploiting the optimistic relay mechanism before UMA's Optimistic Oracle validation.
A High Severity vulnerability was discovered in Across V3, a cross-chain optimistic bridge, that could allow malicious relayers to steal the full value of certain transactions from users by exploiting the relayer fulfillment mechanism prior to UMA Optimistic Oracle validation.
A denial-of-service vulnerability in LayerZero's ONFT (ERC721) implementation allows attackers to freeze cross-chain token transfers by passing a malicious receiver contract that exhausts gas in the onERC721Received() callback, causing the message to block indefinitely at the Endpoint level. The issue stems from NonBlockingLzApp's insufficient gas reservation (1/64 of gasLimit) to handle failed message storage when all allocated gas is consumed.