In what is being termed one of the biggest crypto hacks of all time and the biggest of the year yet, a hacker exploited a security vulnerability in Wormhole smart contracts to steal more than 120,000 ETH. At the price of the time, the total value of the stolen funds was over $458,000 million AUD.
Wormhole is a kind of bridge that allows crypto users to move between the Ethereum and Solana blockchain platforms. As Solana has become more popular due to its cheap and fast transactions, NFT and DeFi players have been using it more and more.
Solana had recently hit its all-time high price of $259.96 USD in November.
At the time of writing, Wormhole has already restored the stolen funds on the platform with funds provided by Jump Crypto, but the stolen tokens are still in the attacker’s wallet. This has prompted speculation that the company sourced the money from its investors.
.@JumpCryptoHQ believes in a multichain future and that @WormholeCrypto is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.
— Jump Crypto 🦬 (@JumpCryptoHQ) February 3, 2022
Hack Utilised Wrapped Ethereum Tokens
To understand the hack, you have to understand how Wormhole operates. As a bridge between Solana and Ethereum, Wormhole operates smart contracts on both blockchain networks. If you want to transact on Solana, you deposit ETH that gets locked up in a Wormhole smart contract, which then allows you to create wrapped Ethereum (wETH) tokens.
A wrapped token is a 1:1 equivalent of the locked ETH, but you can trade it on the other platform freely. What the attacker did was forge a transaction signature that allowed them to mint 120,000 wETH without first depositing the corresponding amount of ETH.
They were then able to “withdraw” the stolen funds from Wormhole into the Ethereum platform, to the tune of over $352 million AUD, with the rest remaining in SOL or wETH tokens.
Hack Started With Github Post
The hack started with a Github post showing an apparent vulnerability that was supposed to be patched. However, a few hours later, the hacker exploited the vulnerability and made off with the funds, showing that the security patch hadn’t been applied yet.
Though the update appeared as a run-of-the-mill update, the hacker was quick to notice extensive changes to transfer protocols. Which begs the question: doesn’t Wormhole have verification procedures in place?
A post-mortem examination shows that the transfers were indeed checked and verified as being legitimate by Wormhole’s guardian protocols. You can read the technical details of the exploit here for more information, but in effect, the attacker was able to lie to the guardian programs that a signature check was executed then go ahead and mint wETH.
Industry Sentiment Following the Hack
Ethereum founder Vitalik Buterin had already warned of the danger of these cross-platform “bridges” due to “fundamental limits to the security of bridges.”
When bridges like Wormhole hold millions of dollars of assets locked in escrow, they become prime targets for attackers. With the Polygon Network hack just last August and Crypto.com’s hack last month, the security of crypto institutions such as DeFi platforms is coming into question.
Evan Van Ness, the founder of Starbloom Ventures, tweeted,
“This bridge that Sqlana (sic) hyped as “secure, trustless” a few months ago just got hacked for 80k ETH.”
We can only expect such exploits to increase in number and magnitude as crypto and blockchain become more and more popular. We can only take more caution as crypto users and transact on the most reputable and reliable platforms.