The Wormhole token bridge experienced a security exploit today, resulting in the loss of 120,000 wETH tokens ($321 million) from the platform.
Wormhole is a token bridge that allows users to send and receive crypto between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without the use of a centralized exchange (CEX). This is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The Wormhole team has offered a $10M bug bounty for the return of the funds.
The hack took place on the Solana side of the bridge and there are fears Wormhole’s bridge to Terra could be similarly vulnerable.
The Wormhole team has assured the community that its ETH supply would be replenished to “ensure wETH is backed 1:1,” but there is no word yet on where those funds will come from or when.
The wormhole network was exploited for 120k wETH.
ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.
We are working to get the network back up quickly. Thanks for your patience.
— Wormhole (@wormholecrypto) February 2, 2022
The hack took place at 6:24pm UTC on Feb. 2. The attacker minted 120,000 wETH (WETH) on Solana, then redeemed 93,750 WETH for ETH worth $254 million onto the Ethereum network at 6:28pm UTC. The hacker has since used some funds to buy SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token (APE).
No other assets or chains served by Wormhole have been reported affected, but smart contract auditing firm Certik said in a report today that “It is possible that Wormhole’s bridge to the Terra blockchain shares the same vulnerability as their Solana bridge.”
The Wormhole team contacted the hacker through their Ethereum address to offered to let the hacker keep $10 million worth of funds stolen if the remaining funds are returned.
“This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at firstname.lastname@example.org”
As of the time of writing, wETH tokens sent across the bridge are not yet redeemable while the Wormhole team attempts to fix the exploit.
This is the second smart contract exploit on a token bridge in a week. On Jan. 28, Qubit Finance’s QBridge was exploited for $80 million on BSC. It is also reminiscent of the Poly Network hack last August wherein $610 million in crypto was stolen off the platform. In that case, nearly all of the funds were returned by the whitehat hacker.
The frequency of smart contract hacks on token bridges serves to validate Vitalik Buterin’s Jan. 7 warning that there are “fundamental security limits of bridges.” The Ethereum co-founder’s admonition was within the context of a 51% attack on Ethereum, but his advice was well-timed as he pointed out the general vulnerability apparent on bridges that send tokens across layer-1 blockchains.