Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 235Bridge Exploit

Nervos Force Bridge Access Control

Access-control flaw drained $3.76M from Nervos's Force Bridge on Ethereum and BNB Chain; loot was swapped to ETH and routed via Tornado Cash and FixedFloat.

Date
Victim
Nervos Network
Chain(s)
EthereumBNB Chain
Status
Funds Stolen

On June 2, 2025, the Force Bridge — Nervos Network's cross-chain protocol connecting CKB (Nervos) to Ethereum and BNB Smart Chain — was exploited for approximately $3.76 million. The root cause was an access-control issue in the bridge contract logic. Stolen funds were rapidly swapped to ETH and routed through Tornado Cash and FixedFloat for laundering.

What happened

Force Bridge handled cross-chain asset transfers between Nervos' CKB chain and EVM-compatible networks (Ethereum and BNB Chain). The bridge contracts on each EVM side held custodial reserves of bridged assets; cross-chain withdrawals required authorisation from the bridge's operator infrastructure.

The vulnerability lived in the access control governing privileged operations on the bridge contracts. The exact technical mechanism was not exhaustively detailed publicly, but the on-chain pattern was consistent with an attacker who had obtained operator-level signing authority — either through compromised operator keys, infrastructure breach, or a configuration error that allowed unauthorised callers to invoke privileged paths.

The drain breakdown:

  • ~$3.1 million on Ethereum, including:
    • 257,800 USDT
    • 539 ETH
    • 898,300 USDC
    • 60,400 DAI
    • 0.79 WBTC
  • ~$600,000 on BNB Chain (mix of stablecoins and BNB).

The attacker converted the stolen assets to ETH through DEX aggregators and routed the proceeds through Tornado Cash and FixedFloat, an exchange known to be used in laundering operations.

Aftermath

  • Nervos Network halted Force Bridge operations and launched an investigation with law-enforcement support.
  • No public attribution of the threat actor; the on-chain pattern was consistent with state-aligned operations but no formal attribution followed.
  • No public recovery from the attacker's wallets.

Why it matters

The Force Bridge incident continues the recurring pattern of bridge access-control vulnerabilities producing mid-sized DeFi losses across the 2021-2026 era:

  • ChainSwap (Jul 2021) — bridge mint authorization gap on BSC.
  • Qubit Finance (Jan 2022) — bridge fake-deposit acceptance.
  • Nomad (Aug 2022) — initialization treating zero as valid root.
  • HECO Bridge (Nov 2023) — operator key compromise.
  • Force Bridge (Jun 2025) — operator access control.

In every case, the operator-trust model of cross-chain bridges is the structural attack surface. Even when the contracts are correctly written and the operator keys are protected, the gap between "the bridge functions correctly under intended operator behaviour" and "the bridge does not function adversarially under any attacker access" is what these incidents repeatedly exploit.

The defensive responses — multi-DVN configurations, slashing-enforced attestation committees, canonical-execution bridge designs that don't depend on signers — are progressively being adopted but the older bridge generation continues to operate with operator-trust models that have proven structurally fragile.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-force-bridge-hack-june-2025
  2. [02]theblock.cohttps://www.theblock.co/post/356535/hackers-drain-over-3-million-in-crypto-from-nervos-networks-force-cross-chain-bridge-say-security-analysts
  3. [03]cryptocsec.substack.comhttps://cryptocsec.substack.com/p/hack-alert-37-million-dollars-stolen

Related filings