On Wednesday, decentralized financial (DeFi) platform Wormhole fell victim to its biggest cryptocurrency theft this year — and in the top five biggest crypto hacks of all time — when an attacker exploited a security flaw to earn nearly $325 million.
The attack appears to be the result of a recent update to the project’s GitHub repository, which revealed a fix for a bug that had not yet been implemented in the project itself.
The attack took place on Feb. 2 and was spotted when a message from the Wormhole Twitter account announced that the network was being hacked. “taken down for maintenance” while a possible exploit was being investigated. A post later from Wormhole confirmed the hack and the amount stolen.
The wormhole network was exploited for 120k wETH.
ETH will be added over the next few hours to ensure wETH 1:1 is supported. More details will follow shortly.
We are working on getting the network up to date again soon. Thanks for your patience.
— Wormhole (@wormholecrypto) February 2, 2022
Shortly after the attack, the Wormhole team also offered the hacker a $10 million bounty to return the money, which was embedded as text in a transaction sent to the attacker’s Ethereum wallet address.
Wormhole offers a service known as a “bridge” between blockchains, essentially an escrow system that allows depositing one type of cryptocurrency to create assets in another cryptocurrency. This allows a person or entity with ownership in one cryptocurrency to make transactions and purchases with another, a bit like funding a dollar bank account and then use a bank card to buy something in euros.
To carry out the attack, the attacker managed to forge a valid signature for a transaction that allowed them to freely mint 120,000 wETH – a “wapped” Ethereum equivalent on the Solana blockchain, with a value equivalent to $325 million on the time of the theft – without first entering an equivalent amount. This was then exchanged for approximately $250 million in Ethereum sent from Wormhole to the hackers’ account, effectively raising a large portion of the platform’s Ethereum funds held as collateral for transactions on the Solana blockchain. liquidated.
Open source code captures show that code that would have addressed this vulnerability was written as early as January 13 and uploaded to the Wormhole GitHub repository on the day of the attack. Several hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application.
As software developer Matthew Garrett observed on Twitterthe code upload was described as a run-of-the-mill version update, but in fact contained extensive changes – a fact that could have hinted the attacker that it was a covert security solution.
Another file available from the Wormhole Github page also describes a security audit conducted by security research firm Neodyme between July and September 2021. It is not clear whether the vulnerability was present during the audit period and Neodyme did not respond to a request for comment.
Due to the nature of cross-chain applications, the attack temporarily left a huge gap between the amount of packaged Ethereum and regular Ethereum kept in the Wormhole Bridge – as if the collateral backing a loan had suddenly disappeared. According to Forbes, the attack caused a 10 percent drop in the value of the Solana cryptocurrency in the wake of the hack.
The Wormhole team has announced that more Ethereum will be added to the bridge to replace the stolen collateral funds, which basically means the company will need to find $325 million in assets to close the gap.
It is not yet clear where the money will come from. Inquiries sent to Jump Crypto, the parent company of the developers of the Wormhole application, had not received a response at the time of publication.