Meter.io Bridge Fake Deposit

On February 5, 2022, the Meter Passport cross-chain bridge was exploited for approximately $4.4 million. The bridge's deposit handler incorrectly trusted the reported transferred amount for native/wrapped tokens, allowing the attacker to trigger a bridged-asset mint without a corresponding real deposit.

What happened

Meter Passport's deposit logic distinguished between ERC-20 transfers and native-token (wrapped) transfers. A flaw in how the native/wrapped path computed the deposited amount meant an attacker could invoke the deposit with no real underlying transfer and still have the bridge emit a deposit event crediting them on the destination chain.

The attacker used this to mint bridged BNB/ETH on the destination side without locking real assets on the source side, then sold the unbacked bridged tokens. The exploit also briefly affected protocols (e.g. Hundred Finance, Voltage) that used Meter-bridged assets, until they paused.

Aftermath

• Meter paused the bridge and patched the deposit-amount handling.
• Meter committed treasury funds to a compensation plan for affected bridged-asset holders and downstream protocols.
• No public recovery from the attacker.

Why it matters

Meter.io is one more bridge "fake deposit" instance — the same structural class as Qubit Finance, Nomad, and THORChain. Every bridge mints a destination representation based on a claim about source-chain state; anything that lets an attacker fabricate that claim breaks the bridge entirely. The catalogue's bridge entries are, almost without exception, variations on this single sentence — and Meter, occurring in the same months as the largest bridge catastrophes of 2022, is a small but representative data point in the year bridges proved to be DeFi's most systematically fragile component.