Force Bridge (Nervos Network): Access control compromise — admin key leak → privileged unlock() drain across two chains

Summary #

Force Bridge (Nervos Network) suffered a Cross-Chain Bridge on 2025-06-01, resulting in a loss of approximately $4M.

What happened #

Force Bridge was drained for $3.76M on the same day it announced its retirement — an attacker with admin-level access systematically unlocked assets across Ethereum and BSC after multiple failed attempts hours earlier.

Linked factors #

• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N — none mentioned]
• RD-F-027 — causal : ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — the exploit was itself an admin-level action; no on-chain governance signal preceding it]
• RD-F-031 — causal : Signer rotation recency [via cross-hack: Factor 56: Dormant Admin Key > 30 Days]
• RD-F-032 — related : Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
• RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Wallet funded via KuCoin on May 31 (day before sunset announcement); multiple failed access control attempts on June 1 before success; ~6-ho...]
• RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — the exploit was itself an admin-level action; no on-chain governance signal preceding it]
• RD-F-166 — causal : Officially-deprecated surface still holds material value [via cross-hack: Factor 46: Sunset / Wind-Down Period as Reduced Vigilance Window]