Wormhole token bridge loses $321M in largest hack so far in 2022

Published at: Feb. 3, 2022

The Wormhole token bridge experienced a security exploit today, resulting in the loss of 120,000 wETH tokens ($321 million) from the platform.

Wormhole is a token bridge that allows users to send and receive crypto between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without the use of a centralized exchange (CEX). This is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The Wormhole team has offered a $10M bug bounty for the return of the funds.

The hack took place on the Solana side of the bridge and there are fears Wormhole’s bridge to Terra could be similarly vulnerable.

The Wormhole team has assured the community that its ETH supply would be replenished to “ensure wETH is backed 1:1,” but there is no word yet on where those funds will come from or when.

The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.We are working to get the network back up quickly. Thanks for your patience.

— Wormhole (@wormholecrypto) February 2, 2022

The hack took place at 6:24pm UTC on Feb. 2. The attacker minted 120,000 wETH (WETH) on Solana, then redeemed 93,750 WETH for ETH worth $254 million onto the Ethereum network at 6:28pm UTC. The hacker has since used some funds to buy SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token (APE).

The remaining WETH was swapped for SOL and USDC on Solana. The hacker’s Solana wallet currently holds 432,662 SOL ($44 million).

No other assets or chains served by Wormhole have been reported affected, but smart contract auditing firm Certik said in a report today that “It is possible that Wormhole’s bridge to the Terra blockchain shares the same vulnerability as their Solana bridge.”

The Wormhole team contacted the hacker through their Ethereum address to offered to let the hacker keep $10 million worth of funds stolen if the remaining funds are returned.

“This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at [email protected]

As of the time of writing, wETH tokens sent across the bridge are not yet redeemable while the Wormhole team attempts to fix the exploit.

This is the second smart contract exploit on a token bridge in a week. On Jan. 28, Qubit Finance’s QBridge was exploited for $80 million on BSC. It is also reminiscent of the Poly Network hack last August wherein $610 million in crypto was stolen off the platform. In that case, nearly all of the funds were returned by the whitehat hacker.

Related: $2.5B in stolen BTC from Bitfinex hack awakens

The frequency of smart contract hacks on token bridges serves to validate Vitalik Buterin’s Jan. 7 warning that there are “fundamental security limits of bridges.” The Ethereum co-founder’s admonition was within the context of a 51% attack on Ethereum, but his advice was well-timed as he pointed out the general vulnerability apparent on bridges that send tokens across layer-1 blockchains.

Tags
Related Posts
Mark Cuban issues burn notice on offensive ENS domain
Someone sent Mark Cuban a profane Ethereum Name Service domain a few days ago. After observant Twitter users recently tracked down his ether address, it was only a matter of time before a wave of unwanted spam transactions made their way into his account. This is, after all, the internet. Here there be monsters. While it isn’t entirely clear what the presumed troll’s endgame was, the word was nonetheless offensive enough to raise some eyebrows at Cointelegraph, and we don’t intend to reprint it here. Suffice to say, a decent person would not want to be known as the owner …
Technology / Feb. 3, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Latest DeFi bridge exploit results in $4.4M losses for Meter
The Meter Passport token bridge platform has incurred $4.4 million in losses due to a smart contract hack which also caused Hundred Finance to lose $3.3 million through under-collateralized loans. Meter.io’s Meter Passport (MTRG) is a token bridge that is compatible with Ethereum and its sidechains. This attack affected the Moonriver side of the bridge. Moonriver is a smart contract platform based on Polkadot’s Kusama network. Hundred Finance is a crypto lending platform based on the code for Compound Finance. Starting at 2pm UTC on Feb. 5 and over the course of several transactions, about $4.4 million in Binance Coin …
Blockchain / Feb. 8, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
How to store Bitcoin on MetaMask?
MetaMask is a well-known wallet for Ethereum-enabled distributed applications (dApps). But can MetaMask hold Bitcoin (BTC), which remains the largest cryptocurrency? For many crypto investors, Bitcoin is an important part of their portfolio. Besides being an investment asset, Bitcoin can also be used as a payment method. Thanks to wallets such as MetaMask, paying via blockchain technology has become much easier. This Ethereum crypto wallet enables millions of investors to participate in everything the crypto market has to offer. Even though Ether (ETH) is a very popular means of payment, most people buy Bitcoin. Related: How does Bitcoin work and …
Adoption / April 26, 2022