Wormhole token bridge suffers a $321 million loss in the year 2022’s greatest attack
The token bridge between Ethereum and Solana was breached, resulting in the theft of 120K wETH tokens from the platform and distribution to the hacker’s Solana and Ethereum wallets.
A security breach on the Wormhole token bridge occurred today, resulting in the theft of 120,000 wETH tokens ($321 million) from the network.
Wormhole is a decentralised token bridge that enables users to send and receive cryptocurrency across Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without the need for a centralised exchange (CEX). This is the greatest cryptocurrency hack of 2022 so far, and the second largest DeFi breach. The Wormhole team has offered a $10 million bug reward in exchange for the monies’ recovery.
The hack occurred on the Solana side of the bridge, and there are suspicions that Wormhole’s connection to Terra is also susceptible.
The Wormhole team has informed the community that it would replace its ETH supply in order to “ensure wETH is backed 1:1,” but there is no hint on where or when those money will come from.
The incident occurred at 6:24 p.m. UTC on February 2. At 6:28pm UTC, the attacker generated 120,000 wETH (WETH) on Solana and then redeemed 93,750 WETH for ETH valued at $254 million on the Ethereum network. The hacker has subsequently purchased SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token using part of the monies obtained (APE).
On Solana, the leftover WETH was exchanged for SOL and USDC. At the moment, the hacker’s Solana wallet has 432,662 SOL ($44 million).
There have been no reports of additional Wormhole assets or chains being impacted, however smart contract auditing company Certik said today that “it is probable that Wormhole’s bridge to the Terra blockchain has the same vulnerability as their Solana bridge.”
The Wormhole team contacted the hacker through their Ethereum address and offered to let him retain $10 million in stolen assets in exchange for the restoration of the remaining cash.
“This is the Deployer of Wormholes: We observed you were able to take use of the Solana VAA verification and token minting. We’d want to offer you a whitehat agreement and a $10 million bug reward for exploit specifics, as well as refund the wETH you’ve earned. Contact us at [email protected]”
As of this writing, wETH tokens transmitted over the bridge are not redeemable until the Wormhole team works to close the vulnerability.
This is the second abuse of a smart contract on a token bridge in less than a week. On Jan. 28, Qubit Finance’s QBridge was used to defraud BSC of $80 million. It’s also reminiscent of last August’s Poly Network theft, in which $610 million in cryptocurrency was taken from the site. In one instance, the whitehat hacker returned virtually all of the monies.
The regularity with which smart contracts on token bridges are compromised helps to corroborate Vitalik Buterin’s January 7 warning that bridges have “fundamental security limitations.” Although the Ethereum co-warning founder’s came in the context of a 51 percent assault on Ethereum, his advise was timely in that it highlighted the overall vulnerability of bridges that transmit tokens between layer-1 blockchains.