XChainWatcher: Monitoring and Identifying Attacks in Cross-Chain Bridges

TL;DR

XChainWatcher is a modular anomaly detection system for cross-chain bridges that identifies attacks and irregularities, helping to prevent significant financial losses in blockchain interoperability.

Contribution

It introduces a logic-driven, extensible framework for monitoring cross-chain bridges, with the first open dataset of cross-chain transactions and analysis of real attack cases.

Findings

Successfully identified transactions causing $611M and $190M losses

Detected 37 suspicious cross-chain transactions and failed exploit attempts

Provided an open dataset of 81,000 cross-chain transactions totaling over $4.2B

Abstract

Cross-chain bridges are a type of middleware for blockchain interoperability that supports the transfer of assets and data across blockchains. However, several of these bridges have vulnerabilities that have caused 3.2 billion dollars in losses since May 2021. Some studies have revealed the existence of these vulnerabilities, but there is little quantitative research available, and there are no safeguard mechanisms to protect bridges from such attacks. Furthermore, no studies are available on the practices of cross-chain bridges that can cause financial losses. We propose \toolName~(Cross-Chain Watcher), a modular and extensible logic-driven anomaly detector for cross-chain bridges. It operates in three main phases: (1) decoding events and transactions from multiple blockchains, (2) building logic relations from the extracted data, and (3) evaluating these relations against a set of detection rules. Using \toolName, we analyze data from two previously attacked bridges: the Ronin and Nomad bridges. \toolName~was able to successfully identify the transactions that led to losses of \$611M and \$190M (USD) and surpassed the results obtained by a reputable security firm in the latter. We not only uncover successful attacks, but also reveal other anomalies, such as 37 cross-chain transactions (\CCTX) that these bridges should not have accepted, failed attempts to exploit Nomad, over \$7.8M worth of tokens locked on one chain but never released on Ethereum, and \$200K lost by users due to inadequate interaction with bridges. We provide the first open dataset of 81,000 \CCTXS~across three blockchains, capturing more than \$4.2B in token transfers.