Here's How DeFi Project Lost $320 Million Worth of Ether
Wormhole, a bridge that links Solana with other popular blockchains, has been robbed of $320 million worth of wrapped Ethereum (wETH), suffering the second-biggest hack in the decentralized finance space on record.
The project quickly acknowledged the incident in a tweet.
Wormhole developers have come up with a whitehat agreement for the hacker, offering them a $10 million bounty.
As reported by U.Today, PolyNetwork, which suffered the biggest DeFi hack to date, managed to successfully return all of its stolen funds in August after weeks of negotiation with the attacker.
An expensive bug
In a recent thread, developer Kelvin Fichter explains that the attacker minted wETH on Solana and withdrew it to the Ethereum blockchain.
Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here's how it happened.
— smartcontracts (@kelvinfichter) February 3, 2022
The hacker was able to exploit a bug in Wormhole's verification function, using a fake system program to obfuscate the fact that the signature check had not been executed.
After fraudulently tricking the system into minting wETH on Solana, the attacker bridged it back to Ethereum.
Wormhole says that the vulnerability has now been patched.
A prescient warning?
Ethereum co-founder Vitalik Buterin recently warned about the security vulnerabilities of centralized cross-chain bridges in a lengthy Reddit post published last month, claiming that they were at great risk of a 51% attack.
Jonathon Wu, growth lead at Aztec Network, however, points to the fact that the Wormhole hack boils down to a smart contract bug, which is why Buterin's warning might not apply in that particular case.
Vitalik was saying "it's a lot easier to 51% attack a bridging protocol's 19-node validator set than an L1's 30,000 nodes, and if the prize is big enough, it could happen."
— jonwu.eth (@jonwu_) February 3, 2022
He didn't say that multi-chain bridges are at a greater risk of smart contract bugs than anything else.