DeFi bridge Wormhole is hacked for $325 million

    05 Feb 2022

    The DeFi platform Wormhole became the victim of the largest crypto heist this year when an attacker exploited a security flaw to make off with close to $325 million. The attack on the popular bridge linking Ethereum and Solana is among the top five largest crypto hacks of all time.

    The attack took place on February 2 when the Wormhole Twitter account announced that the network was being taken “down for maintenance” while a potential exploit was investigated.

    Wormhole provides a service known as a “bridge” between blockchains, essentially an escrow system that allows one type of cryptocurrency to be deposited to create assets in another cryptocurrency. This allows a person or entity with holdings in one cryptocurrency to make trades and purchases using another, somewhat like funding a bank account in dollars and then using a bank card to buy something priced in euros.

    To carry out the attack, the attacker managed to forge a valid signature for a transaction that allowed them to mint 120,000 wETH freely – a “wrapped” Ethereum equivalent on the Solana blockchain, with a value equivalent to $325 million at the time of the theft – without first inputting an equal amount. This was then exchanged for around $250 million in Ethereum that was sent from Wormhole to the hackers’ account, effectively liquidating a large amount of the platform’s Ethereum funds that were being held as collateral for transactions on the Solana blockchain.

    Due to the nature of cross-chain applications, the attack temporarily left a massive deficit between the amount of wrapped Ethereum and regular Ethereum held in the Wormhole bridge – as if the collateral asset backing a loan had suddenly disappeared. According to Forbes, the attack caused a 10% drop in the value of the Solana cryptocurrency.

    Also, the Wormhole attack became the top 5 largest crypto hacks of all time.

    The Wormhole team has announced that more Ethereum will be added to the bridge to replace the stolen collateral funds, effectively meaning that the company will need to find $325 million in assets to plug the gap.

    At this stage, it is unclear where the funds will come from. Questions sent to Jump Crypto, the parent company of the developers of the Wormhole application, had not received a response at the time of publication.

    Shortly after the attack, the Wormhole team also offered the hacker a $10 million bounty to return the funds, embedded as text in a transaction sent to the attacker’s Ethereum wallet address.

    In recent times, DeFi has become a key target for attacks. Last August, the other DeFi platform Poly Network suffered a $612-million hack that did the hacker steal assets from Ethereum, Binance Chain, and the Polygon Network. It could be the biggest heist in DeFi history; however, the suspected hacker returned the stolen funds in a few days, saying he did it “for fun.”

    Leave a Reply

    Your email address will not be published. Required fields are marked *