Wormhole a token bridge between Ethereum and Solana has witnessed the latest DeFi hack resulting in the loss of 120,000 wETH tokens ($321 million) from the platform. This is the biggest hack in 2022 and second after PolyNetwork’s $610M in 2021
Wormhole is a token bridge that allows users to send and receive crypto without using a centralized exchange across Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra (CEX).
This is the second-biggest DeFi attack to date and the largest crypto hack of 2022 thus far. The Wormhole team has offered a $10 million bug bounty in exchange for the monies’ recovery.
About the hack
The hack occurred on the Solana side of the bridge, and there are concerns that Wormhole’s bridge to Terra may be vulnerable as well.
The Wormhole team has promised that its ETH supply would be replenished to “guarantee wETH is backed 1:1,” but no details on where that money will come from or when they will arrive have been released.
On February 2, at 6:24 p.m. UTC, a hack took occurred. At 6:28 p.m. UTC, the attacker created 120,000 wETH (WETH) on Solana, then redeemed 93,750 WETH for ETH worth $254 million on the Ethereum network. Since then, the hacker has purchased SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token with some of his funds (APE).
On Solana, the remaining WETH was exchanged for SOL and USDC. The hacker currently has 432,662 SOL ($44 million) in his Solana wallet.
There have been no reports of additional Wormhole assets or chains being harmed, but smart contract auditing firm Certik noted today that “it is plausible that Wormhole’s bridge to the Terra blockchain shares the same vulnerability as their Solana bridge.”
The Wormhole team contacted the hacker via Ethereum and offered to let them keep $10 million in stolen assets in exchange for the other cash being restored.
“This is the Wormhole Deployer,” says the narrator. We discovered that you were able to use the Solana VAA verification and mint tokens to your advantage. We’d like to offer you a whitehat agreement, as well as a $10 million bug bounty for exploit details and the wETH you’ve earned. Please contact us at [email protected].”
While the Wormhole team works to solve the exploit, wETH tokens sent across the bridge are still not redeemable at the time of writing.
DeFi Hack in 2022
This is the second token bridge smart contract exploit in a week. Qubit Finance’s QBridge was abused for $80 million on BSC on January 28. It’s also similar of the Poly Network theft, which saw $610 million in cryptocurrency taken from the site in August. In one scenario, the whitehat hacker refunded nearly all of the monies.
The high frequency of smart contract hacks on token bridges backs up Vitalik Buterin’s warning on January 7 that “fundamental security limits of bridges” exist.
Although the Ethereum co-advise founder’s came in the context of a 51 percent attack on Ethereum, it was timely since it pointed out the general vulnerability that exists on bridges that transmit tokens over layer-1 blockchains.