On May 31st, 2025, Magickbase announced that it would be sunsetting Force Bridge, a cross-chain bridge linking the Nervos Network to other blockchains, over the next six months, allowing users to withdraw their funds during that window. The next day, an attacker exploited the protocol to steal an estimated $3.76 million from the protocol on ETH and BSC.
Inside the Attack
The root cause of the Force Bridge exploit was an access control issue. The attacker accessed privileged functions within the protocol’s smart contracts to unlock and drain the various types of tokens that it held on ETH and BSC.
This type of attack is typically accomplished via compromised private keys. If an attacker has access to privileged accounts, they can use those privileges to access protected functions and drain value.
The attacker funded the ETH wallet used in the attack shortly after the announcement that the protocol would be sunset. While this could indicate an inside job, it could also mean that the attacker had the keys and was waiting for their moment before realizing that the value held in the protocol and available to be stolen would only decrease over time.
In this case, the Force Bridge exploiter made several failed attempts over six hours to drain value from the smart contract before succeeding. After this, funds were transferred to Tornado Cash and FixedFloat for laundering and to cover the attacker’s tracks.
Lessons Learned from the Attack
At a high level, the Force Bridge hack is an example of the growing threat that off-chain attacks pose to DeFi projects. The attacker didn’t exploit smart contract vulnerabilities; they used private keys to access privileged functions within the smart contract. The timing of the attack also highlights the fact that attackers may be present within a project’s environment or have already stolen keys and are waiting for the perfect moment to strike.
Another important element of the attack was that the attacker performed their attack over six hours with multiple failed attempts. If monitoring were in place, the project would have had ample opportunity to detect and respond to the threat, moving funds to a safe location or revoking the privileges of the compromised keys before the attacker could succeed.
A robust Web3 security program is one that considers both on-chain and off-chain risks and implements tools and processes to monitor and defend a deployed smart contract. To learn more about how to enhance your project’s security, get in touch with Halborn.