Wormhole Blockchain Bridge Exploited for Over $300 MillionDeFi Platform Patches Vulnerability, Says 'Funds Are Safe'
Stay tuned for updates on this developing story.
The Wormhole network, a token bridge that allows users to trade multiple cryptocurrencies across the ethereum and solana blockchains, has been exploited for 120,000 ETH tokens ($321 million), the company acknowledged via Twitter. The protocol also tweeted early Thursday that "all funds have been restored and Wormhole is back up," following a Solana-side mint function exploit.
This week's incident is the fourth largest crypto theft of all time and the second largest decentralized finance cyberattack on record, according to blockchain security firm Elliptic.
Earlier, the platform indicated it had issued a fix for a detected flaw and was working to "get the network back up as soon as possible." Wormhole also tweeted that "ETH will be added" and wrapped Ethereum, or wETH, which is pegged to the value of the original coin, "is backed 1:1."
Wrapped Ethereum, or wETH, is an Ethereum Requests for Comments 20, or ERC-20, token - a common standard required to exchange ETH with other Ethereum-based tokens, such as SOL, the native cryptocurrency of chain rival Solana, which is gaining traction in the non-fungible token, or NFT, and DeFi space.
Wormhole, at the time of publication, indicated that its team had addressed its Ethereum losses and gotten the portal back online. It stated earlier: "All funds are safe."
A spokesperson for the protocol did not immediately respond to Information Security Media Group's request for additional details about the incident. Also on Twitter, Wormhole indicated it was working on a detailed incident report. According to Ethereum messaging service Notifi, Wormhole offered the alleged threat actor a $10 million bug bounty as part of a "white-hat agreement" for exploit details.
Jump Crypto - a part of the Jump Trading Group, which owns venture capital firm Jump Capital - tweeted Thursday that it had replenished 120,000 ETH taken in the heist, "to make community members whole and support Wormhole." The VC firm said it "believes in a multi-chain future and that Wormhole Crypto is essential infrastructure."
The incident comes just months after a massive DeFi attack in which a hacker - infamously dubbed "Mr. White Hat" - drained the Poly Network protocol of more than $600 million in cryptocurrency, before gradually returning the funds. Experts suggested at the time that the hacker likely had trouble laundering the funds. It remains the costliest crypto heist to date (see: Poly Network Says $600 Million in Cryptocurrency Stolen).
The highly decentralized DeFi space does not rely on traditional financial intermediaries and is instead powered by peer-to-peer contracts, across open-source apps, or DApps. Often, its admins offer little details on location or operation.
The Wormhole incident is the largest attack to date on the Solana ecosystem, according to blockchain security firm CertiK.
"Preliminary analysis indicates that the attacker exploited a mint function on the Solana side of the Wormhole bridge to create 120,000 wETH for themselves, then used these minted tokens to claim ETH that was held on the Ethereum side of the bridge," a spokesperson for CertiK, requesting anonymity, tells ISMG.
CertiK's analysis, the company executive says, shows that the attacker gained 93,750 ETH ($251 million), 432,662 SOL ($46.6 million), and 4.14 million USDC, a stablecoin pegged to fiat currency ($4.14 million), which in total amounted to $302,495,717.
"Wormhole’s bridge allowed users to convert their Ethereum-native ETH to Solana-compatible wETH. The bridge held a 1:1 ratio of ETH to wETH, acting essentially as an escrow service," CertiK says.
"Its popularity meant that it had become the dominant bridge between Solana and Ethereum, and as such was responsible for a large proportion of all wrapped Ether on the Solana blockchain. This exploit breaks the 1:1 peg, as there is now at least 93,750 less ETH held as collateral. If this ratio is not regained, DeFi on Solana is potentially at risk of a mass liquidation event," the spokesperson adds.
As users engage more and more with the multi-chain world, services that link blockchains will only become more important, the spokesperson adds. "This exploit highlights the catastrophic losses that can occur when critical infrastructure fails. The effects of Wormhole’s exploit on the collateralization of Solana DeFi is of particular note, both in the immediate short term and going forward," CertiK says.
Twitter user @samczsun, who says he is a research partner at crypto and web3 investment firm Paradigm, explains how the attackers likely exploited the network.
First, we had to determine where the exploit occurred. Ethereum, or Solana? A quick check of the encoded VM that the attacker submitted showed that it contained valid signatures from the guardians. This meant that either they got the private keys, or they exploited the bridge. pic.twitter.com/zzxcoU54Jh— samczsun (@samczsun) February 3, 2022
"Ethereum, or Solana? A quick check of the encoded VM that the attacker submitted showed that it contained valid signatures from the guardians. This meant that either they got the private keys, or they exploited the bridge," samczsun writes.
Investigating previous transactions and checking Wormhole's Github, the researcher determined that attackers likely took the latter route. They go on to describe the execution of multiple functions that likely allowed the threat actor to obtain the 120,000 ETH, details of which are described in the tweet thread.
They add: "tl;dr - Wormhole didn't properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum."
Cryptocurrency exchanges remain the soft underbelly of cryptocurrency and it’s not uncommon for them to be targeted, says John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich.
"In the absence of any central authority, there isn’t much that exchanges can do if they are compromised except to watch and track the funds as they walk out the door. The only good news is that it’ll be hard for the thieves to liquidate those assets into hard currency without leaving fingerprints that can lead to their identification," Bambenek tells ISMG.
The recent string of cryptocurrency breaches is evidence that people who build into a quickly evolving market are more likely to take shortcuts, says Casey Ellis, founder and CTO of crowdsourced bug bounty platform Bugcrowd.
"Web 3.0 is built on the fundamentals of transparency and distributed accountability. Exposure of vulnerabilities in the organizations who are coordinating this is a part of the deal they signed on to. I feel that we're only in the early stages of understanding what the implications of that look like," Ellis tells ISMG.
ISMG Staff Writer Dan Gunderman contributed to this report.
Update [Feb. 4, 10 a.m. EST]: This story has been updated to include news of Jump Crypto's ETH replenishment.