Today, the Wormhole token bridge was subject to a security vulnerability that resulted in the theft of 120,000 WETH tokens (or $321 million) from its platform.
Wormhole, a token bridge, allows users to send and get crypto between Ethereum and Solana, BSC and Polygon without having to use a central exchange (CEX). This hack is the biggest crypto hack in 2022 and the second largest DeFi hack. Wormhole has offered a $10M bug bounty to return the funds.
Hacking occurred on the Solana side, and Wormhole’s bridge from Terra may be equally vulnerable.
Although the Wormhole team assured the community that it would replenish its ETH supply to “ensure wETH was backed 1:1,” there are no details on when or where they will be coming from.
The wormhole network was exploited to generate 120k wETH. To ensure that wETH is fully supported, ETH will be added in the coming hours. We will be providing more details shortly. We are working quickly to restore the network. We appreciate your patience.
Wormhole (@wormholecrypto), February 2, 2022
On February 2, at 6:24 UTC, the hack occurred. The hacker created 120,000 WETH (WETH), then transferred 93,750 WETH to ETH worth $254 Million onto the Ethereum network at 06:28 UTC. Since then, the hacker has used some funds for SportX (SX), Meta Capital(MCAP), Finally Usable Crypto Karma [FUCK], and Bored Ape Yacht Club Tokens (APE).
The WETH remaining was exchanged for USDC and SOL on Solana. The Solana wallet of the hacker currently contains 432,662 SOL ($44 Million).
Wormhole has not reported any other assets or chains being affected. However, Certik smart contract auditing firm stated in a report that Wormhole’s Bridge to Terra Blockchain may have the same vulnerability as their Solana Bridge.
Wormhole reached out to the hacker via their Ethereum address and offered to keep $10 million of the funds stolen. If the funds were returned, the hacker could be kept.
“This is the Wormhole deployer: We noticed that you were able exploit the Solana VAA authentication and mint tokens. We would like to offer you a whitehat deal and return the wETH that you have minted. [email protected] to get in touch with us
The Wormhole team is still trying to fix the exploit, so wETH tokens that were sent across the bridge as of this writing are not yet redeemable.
This is the second smart-contract exploit on a token Bridge in one week. Qubit Finance’s QBridge was hacked for $80 million by BSC on Jan. 28. This is also reminiscent to the Poly Network hack of August, where $610 million worth crypto was stolen from the platform. The whitehat hacker returned almost all the funds in that case.
Related: Bitfinex hack awakens $2.5B of stolen BTC
Vitalik Buterin’s Jan. 7, 2017 warning about “fundamental security limitations of bridges” was validated by the frequency of smart contract hacks on token-bridges. However, his advice was timely as he pointed to the vulnerability in bridges that transmit tokens between layer-1 blockchains.
Eileen Wilson –Technology and Energy
My Name is Eileen Wilson with more than 5 years of experience in the Stock market industry, I am energetic about Technology news, started my career as an author then, later climbing my way up towards success into senior positions. I can consider myself as the backbone behind the success and growth of topmagazinewire.com with a dream to expand the reach out of the industry on a global scale. I am also a contributor and an editor of the Technology and Energy category. I experienced a critical analysis of companies and extracted the most noteworthy information for our vibrant investor network.