High-Severity Vulnerability Hits ETH L2 Bridges
A high-severity security vulnerability, identified as CVE-2025-68664, has been disclosed affecting Ethereum Layer-2 bridges. Working exploits are reportedly circulating, though patches have been made available. The incident serves as a critical reminder of the security risks inherent in cross-chain infrastructure.
- The vulnerability, CVE-2025-68664, does not affect Ethereum L2 bridges but is a critical serialization injection flaw in LangChain, a popular open-source framework for building applications powered by large language models (LLMs). This is relevant to the AI x memecoin crossover narrative, as compromised AI applications could expose sensitive data like API keys or private keys. - The LangChain vulnerability is rated critical with a CVSS score of 9.3 and allows attackers to extract sensitive data and potentially execute code. It occurs because the framework fails to properly handle a specific internal marker key ("lc"), allowing an attacker to make user-controlled data be treated as a trusted command during a process called deserialization. - Cross-chain bridges remain a primary target for hackers in DeFi, with over $2.8 billion stolen to date, accounting for a significant portion of all value hacked in Web3. These exploits pose a direct risk to liquidity providers and traders moving assets between chains like Ethereum, Base, and Solana. - The largest bridge hack in history was the Ronin Network exploit in March 2022, where attackers stole over $620 million in ETH and USDC. The attack was a result of compromised private keys belonging to validator nodes, highlighting the risks of centralized validator sets. - The Wormhole bridge, connecting Solana and other chains, was exploited for over $320 million in February 2022. The attacker exploited a smart contract vulnerability that allowed them to mint 120,000 Wrapped ETH (wETH) on Solana without depositing the corresponding ETH, creating unbacked assets. - The Nomad bridge hack in August 2022 resulted in a loss of approximately $190 million. A routine smart contract upgrade introduced a flaw that allowed users to spoof transactions, which was quickly replicated by hundreds of individual wallets in a "crowdsourced" looting event. - In August 2021, the Poly Network was exploited for $610 million across multiple blockchains, including Ethereum and Polygon. The attacker exploited a vulnerability in how the protocol handled access rights between smart contracts, allowing them to execute malicious transactions. - Unlike the misattributed LangChain CVE, real bridge exploits often stem from several common attack vectors: compromised private keys of validators, smart contract bugs that allow for signature bypass or unbacked minting, and faulty upgrades that introduce critical vulnerabilities.
