Cyber Incident Victim: Allbridge

On or around April 1, 2023, the cross-chain token bridge platform Allbridge experienced a security exploit targeting its Core liquidity pools. The incident was first acknowledged publicly by the Allbridge team in a Twitter post-mortem statement published on April 1, 2023. According to the company's initial investigation, the exploit specifically targeted the BUSD/USDT liquidity pools operating on the BNB Chain. The attack was characterized as a devastating event for the development team, whose immediate priority shifted to addressing the situation and mitigating the impact on its user community.

The technical nature of the attack involved the manipulation of Allbridge's swap price function. This manipulation allowed the attacker or attackers to drain funds from the vulnerable pools. The total amount of funds initially stolen was reported to be approximately $573,000. In the immediate aftermath of the discovery, Allbridge took decisive containment action by temporarily suspending the entire bridge operation. This step was taken as a precautionary measure because the initial investigation indicated that while only the BNB Chain pools were confirmed to have been exploited, the underlying vulnerability potentially extended to other liquidity pools within the system. The bridge was to remain suspended until the identified vulnerability could be successfully patched.

As part of its initial response, Allbridge publicly communicated a proposal directed at the attacker. The company offered a white hat bounty for the return of the stolen assets and explicitly stated that it would not pursue legal action against any individual who returned the funds under these conditions. The official recovery address, 0x01a494079DCB715f622340301463cE50cd69A4D0, was provided, and the attacker was asked to make contact through Allbridge's official channels, such as Twitter direct messages or its Telegram channel. Concurrently, the team worked to deploy a solution for its users, creating a web interface to allow liquidity providers to withdraw their assets from the pools. This interface was made accessible at http://core.allbridge.io/pools within approximately 30 minutes of the announcement.

Subsequent reporting confirmed that this outreach was at least partially successful. By April 3, 2023, it was reported that a hacker had returned assets worth $465,000 to Allbridge. This individual accepted the company's offer of a white hat bounty and the promise of no legal proceedings. The reporting also clarified that the total drain from the exploit was $573,000, meaning a portion of the stolen funds, approximately $108,000, was not recovered at that time. Furthermore, the reports indicated a nuance not fully detailed in the initial post-mortem: a second hacker was also involved in the incident. This second entity had similarly manipulated the swap price function to steal funds. Allbridge publicly asked this second hacker to also reach out to the company, extending the same white hat bounty terms in an effort to recover the remaining assets.

The primary impact of the incident was financial, with a direct loss of $573,000 from the platform's liquidity pools. A significant portion of these funds, $465,000, was recovered following the company's bounty offer. The scope of the attack was initially confined to the BNB Chain, specifically its BUSD and USDT pools. However, the potential for the vulnerability to affect other pools necessitated the complete but temporary shutdown of the bridge service, causing a disruption in normal operations and interoperability for its users. In response to the attack and its impact on users, Allbridge committed to formulating and executing a compensation plan for those affected by the exploit. The company stated it was preparing this plan and would share more information soon, though the specific details of this compensation were not elaborated upon in the immediate public statements. The incident formed part of a broader trend observed in the decentralized finance space during that period, where attackers subsequently returned stolen funds in exchange for a bounty and immunity from legal action, as seen in concurrent incidents involving other platforms like Sentiment and Euler Finance.