Wormhole, a bridge that links Solana with other popular blockchains, has been robbed of $320 million worth of wrapped Ethereum (wETH), suffering the second-biggest hack in the decentralized finance space on record.
The project quickly acknowledged the incident in a tweet.
Wormhole developers have come up with a whitehat agreement for the hacker, offering them a $10 million bounty.
As reported by U.Today, PolyNetwork, which suffered the biggest DeFi hack to date, managed to successfully return all of its stolen funds in August after weeks of negotiation with the attacker.
An expensive bug
In a recent thread, developer Kelvin Fichter explains that the attacker minted wETH on Solana and withdrew it to the Ethereum blockchain.
Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here's how it happened.
— smartcontracts (@kelvinfichter) February 3, 2022No Meme Coin? NBA Legend Disappoints Crypto Community with Recent AnnouncementEthereum (ETH) Crashes Dramatically, What's Next? Solana (SOL) Can Still Reach $200, XRP Struggling Before $0.63 TestBitcoin to $180,000? Crypto Expert Thinks It's Possible During This CycleCrucial Job Scam Warning Issued to Shiba Inu (SHIB) Community: Details
The hacker was able to exploit a bug in Wormhole's verification function, using a fake system program to obfuscate the fact that the signature check had not been executed.
After fraudulently tricking the system into minting wETH on Solana, the attacker bridged it back to Ethereum.
Wormhole says that the vulnerability has now been patched.
A prescient warning?
Ethereum co-founder Vitalik Buterin recently warned about the security vulnerabilities of centralized cross-chain bridges in a lengthy Reddit post published last month, claiming that they were at great risk of a 51% attack.
Jonathon Wu, growth lead at Aztec Network, however, points to the fact that the Wormhole hack boils down to a smart contract bug, which is why Buterin's warning might not apply in that particular case.
Vitalik was saying "it's a lot easier to 51% attack a bridging protocol's 19-node validator set than an L1's 30,000 nodes, and if the prize is big enough, it could happen."
— jonwu.eth (@jonwu_) February 3, 2022
He didn't say that multi-chain bridges are at a greater risk of smart contract bugs than anything else.