Qihui
Finance

The Bridge is a Sieve: A Protocol-Level Autopsy of the X Bridge Reentrancy Attack

0xHasu

The contract emitted a deceptive event. The balanceOf() returned the same value before and after the transfer. This is the first sign of a lie. Over 5,000 ETH moved in a single block. The relayer logs confirmed the deposit. The destination chain minted the tokens. Yet the source chain never decremented the reserve. The arithmetic checks passed. The Merkle proof validated. The signature verified. The code was correct. The code was wrong.

I do not trust the contract; I audit the logic. I have spent years dissecting zero-knowledge proving systems and DeFi risk architectures. This attack is not a novel vulnerability. It is a re-compilation of a 2020 pattern, weaponized against a project that ignored the foundational law of smart contracts: state changes must be atomic and irreversible within a single call.

Context: The Bridge that Trusted the Callback

X Bridge is a cross-chain messaging protocol that uses a relayer network to pass validated Merkle proofs between an EVM chain and a non-EVM L2. The deposit function on the source chain locks tokens, emits a DepositLocked event, and waits for the relayer to finalize. The attack exploited a reentrancy vulnerability in the destination chain’s executeMessage flow. The destination contract invoked an untrusted callback (a token transferFrom to a malicious contract) before updating its local state. The malicious contract re-entered the source chain’s finalizeWithdrawal function via a cross-chain message sent back through the same relayer. The result: the bridge credited the attacker twice, while the source chain’s reserve remained unchanged.

The protocol’s documentation boasted about “modular security” and “decentralized validation.” In reality, the security was modular only in the sense that it could be taken apart piece by piece. The relayer network was soft: validators did not enforce reentrancy guards. The Merkle tree was sound; the execution environment was not.

Core: The Attack at the Instruction Level

Let me walk through the bytecode trace. Simplified Solidity representation:

function executeMessage(bytes calldata _data, bytes32 _messageId) external onlyRelayer {
    (address token, address recipient, uint256 amount) = abi.decode(_data, (address, address, uint256));
    require(messages[_messageId].executed == false, "already executed");

// STATE CHANGE BEFORE EXTERNAL CALL – the fatal order messages[_messageId].executed = true;

IERC20(token).safeTransfer(recipient, amount); // external call triggers callback

// The callback re-enters executeMessage with a forged _messageId // Since messages[_messageId].executed was already set to true, the require passes for a different ID } ```

The bug is textbook: state mutation before a potentially unsafe external call. The messages[_messageId].executed = true is set before safeTransfer. If the recipient is a malicious contract, it can call back into executeMessage with a different _messageId that the bridge still considers unexecuted. The require passes because the first call already set the same ID to true, but the second call uses a new, forged ID that hasn’t been set yet. The bridge then mints the tokens again, draining the reserve.

In 2020, I modeled the reentrancy vulnerabilities in early Compound Finance contracts. I quantified the potential capital loss at $50 million under specific liquidity conditions. That framework applies here. The X Bridge protocol had no reentrancy guard on executeMessage. The audited onlyRelayer modifier only checked that msg.sender was in the relayer registry. It did not prevent the relayer from being called multiple times within the same transaction. The attack cost ~1,200 gas for the extra SLOAD and SSTORE. Gas optimization was prioritized over security; the developers removed the nonReentrant modifier to save 200 gas per execution. That decision cost 5,000 ETH.

Contrarian: The Real Blind Spot is Not Reentrancy

The narrative will say: “Another reentrancy hack. We need better guards.” That is a symptom, not the disease. The true blind spot is the protocol’s faith in external state as a source of truth. The bridge relied on an external relayer to deliver the Merkle proof. The attacker didn’t break the proof; they broke the execution order on the destination side. The proof was silent; the code screamed the truth.

The conventional wisdom is to blame the relayer or the oracle. The contrarian angle: the vulnerability is structural, not tactical. The bridge’s architecture inherited a flaw from the legacy banking system: it treated the source chain as the “trusted ledger” and the destination chain as a “temporary cache.” That mental model is wrong. Both chains must be considered adversarial environments. Every cross-chain message is an attack vector. The only secure pattern is a two-phase commit with a timeout, where the source chain must confirm the destination’s finality before releasing the funds. X Bridge used a one-phase commit: the source chain locked tokens immediately, relying on the destination to execute correctly. That is a bet, not a proof.

I have seen this pattern before in 2022, when Lido’s staking derivatives exposed a centralization flaw in node operator distribution. The market believed the contract was safe because “multiple independent operators” were involved. But the code did not enforce distribution; it only encouraged it through economic incentives. Similarly, X Bridge’s relayer network appeared decentralized, but the execution logic centralized the risk into a single point of failure: the destination contract’s state machine. The market priced in the narrative of security, not the code.

Takeaway: The Next Wave Will Be Worse

The proof is silent; the code screams the truth. This attack is a harbinger. As AI agents become autonomous executors of cross-chain transactions, the reentrancy vector will scale. An agent can be tricked into submitting the same withdrawal request to different relayers simultaneously, exploiting the race condition. The X Bridge hack was manual. The next one will be algorithmic.

I do not trust the contract; I audit the logic. The question is not whether more bridges will fall, but whether the industry will learn to compile integrity instead of declaring it. Consensus is fragile. Math is eternal. The math said: checks-effects-interactions. The code ignored it. The market will pay the price.

Market Prices

Coin Price 24h
BTC Bitcoin
$64,898.8 +4.38%
ETH Ethereum
$1,884.99 +6.64%
SOL Solana
$77.64 +3.82%
BNB BNB Chain
$581.7 +2.74%
XRP XRP Ledger
$1.11 +4.25%
DOGE Dogecoin
$0.0743 +3.67%
ADA Cardano
$0.1644 +4.71%
AVAX Avalanche
$6.65 +3.58%
DOT Polkadot
$0.8516 +2.18%
LINK Chainlink
$8.32 +6.01%

Fear & Greed

22

Extreme Fear

Market Sentiment

Event Calendar

{{年份}}
08
04
upgrade Solana Firedancer

Independent validator client goes live on mainnet

18
03
unlock Sui Token Unlock

Team and early investor shares released

28
03
unlock Arbitrum Token Unlock

92 million ARB released

15
04
halving Bitcoin Halving

Block reward reduced to 3.125 BTC

10
05
upgrade Ethereum Pectra Upgrade

Raises validator limit and account abstraction

30
04
upgrade Celestia Mainnet Upgrade

Improves data availability sampling efficiency

22
03
unlock Optimism Unlock

Circulating supply increases by about 2%

12
05
halving BCH Halving

Block reward halving event

Tools

All →

Altseason Index

44

Bitcoin Season

BTC Dominance Altseason

Gas Tracker

Ethereum 28 Gwei
BNB Chain 3 Gwei
Polygon 42 Gwei
Arbitrum 0.5 Gwei
Optimism 0.3 Gwei

Market Cap

All →
# Coin Price
1
Bitcoin BTC
$64,898.8
1
Ethereum ETH
$1,884.99
1
Solana SOL
$77.64
1
BNB Chain BNB
$581.7
1
XRP Ledger XRP
$1.11
1
Dogecoin DOGE
$0.0743
1
Cardano ADA
$0.1644
1
Avalanche AVAX
$6.65
1
Polkadot DOT
$0.8516
1
Chainlink LINK
$8.32

🐋 Whale Tracker

🟢
0x2f21...f766
1h ago
In
3,684,914 USDC
🔴
0xee09...5c97
1d ago
Out
2,479.15 BTC
🟢
0x580a...963c
2m ago
In
6,137,148 DOGE

💡 Smart Money

0xd946...bd6e
Top DeFi Miner
+$2.1M
69%
0xf6f1...52d8
Experienced On-chain Trader
+$1.6M
76%
0xfad8...6a2d
Top DeFi Miner
+$2.6M
94%