Force Bridge Hack

On June 1, 2025, just hours after Magickbase’s May 31 sunset announcement granting users a six-month withdrawal window for the Nervos Network’s cross-chain bridge connecting CKB to Ethereum and BNB Chain—the protocol lost $3.76M in an access control breach, with the attacker exploiting compromised admin privileges to unlock and drain assets via privileged functions like unlock() and withdraw(). Funded a day prior via KuCoin (ETH tx: 0x0da4f731d05fce5358eb61115f71dad002d6b8b0c414d3269d8e45e7fa297e4d; BSC tx: 0xa29463be9b81b126d22bb2f6e8001ed36f0bbd71f2b2da763a538e732e747c25), the attacker (ETH: 0x1998C6d25212194eBf9BB919b87D40b2Dc8aa8b9; BSC: 0x1998c6d25212194ebf9bb919b87d40b2dc8aa8b9) tested with six hours of failed attempts (e.g., ETH: 0x69104f6b14faa6d77ae9837f6d5d01134b2af0e620d54a0723fdd931b40a87c7; BSC: 0x57a8d7b0fe1ad8b9159a37a09b3379e82cc85eb047528a5cef09dbf98b881357) before succeeding: ETH targets (0x63A993502e74828ddba5710327AFC6dc78d661b2) yielded $3.127M across two txs (0x6b6fbd9d6beef56d2a4f0d14852beea381764b962d7d73ecd216b9fd991299a1: $2.69M; 0x9859b6cbb2764a6cb86450cd7b514f54766b461735da081195226265d72a75fa: $437k), while BSC (0x8215c949F2025B84629041903aDe8394f0a080c6) added $634k (0x4c7e83126e9327fe62cb8e3dab72121062eaf213852fd581e7ada43c93ea58a4: $571k; 0x555b07899ea87be062a7df84220b38fdf93aded10ad09229e9265bed5753744b: $63k). Stolen assets—257.8k USDT, 539 ETH, 898k USDC, 60k DAI, 0.79 WBTC—were swapped to ETH and laundered via Tornado Cash and FixedFloat. Cyvers and Hacken flagged the breach; Magickbase paused operations, handled comms (Nervos Foundation emphasized decentralization without direct address), and launched investigations, but no recovery or bounty was reported amid suspicions of insider timing. This off-chain key compromise—bypassing code flaws—fits 2025’s trend of operational risks in bridges, urging multi-sig/MPC for admins, real-time monitoring to catch failed probes, cold storage, and phased sunsets with enhanced safeguards to preempt “convenient” exits.