The 4th Largest Crypto Theft Shows DeFi Weakness as Hacker Nets USD 325M in a Wormhole
The DeFi bridge between Solana (SOL) and other blockchains Wormhole lost wETH 120,000 (USD 325m) in a hack, once again stressing the weaknesses of this nascent sector. The team offered the hacker a USD 10m bounty if they return the funds.
In their latest update (13:39 UTC), Wormhole said that “all funds have been restored and Wormhole is back up,” while a detailed incident report should be shared “asap.”
Also, the team claims that “all funds are safe” and ETH contract has been filled and all wETH are backed 1:1. Jump Crypto, the owner of Wormhole and the digital-asset unit of quant shop Jump Trading Group, confirmed that it replaced the ETH 120,000 that was stolen.
.@JumpCryptoHQ believes in a multichain future and that @WormholeCrypto is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.
— Jump Crypto 🔥💃🏻 (@jump_) February 3, 2022
Per crypto analytics firm Elliptic, this is the fourth largest crypto theft of all time, and the second-largest theft from a DeFi service. According to the analysts, the exploit appears to have allowed the attacker to mint 120,000 wrapped ETH (wETH) on the Solana blockchain, ETH 93,750 of which was then transferred to the Ethereum (ETH) blockchain.
“This demonstrates once again that the security of DeFi services has not reached a level that is appropriate for the huge sums being stored within them,” Tom Robinson, Co-founder of Elliptic, told Bloomberg. “The transparency of the blockchain is allowing attackers to identify and exploit major bugs.”
Wormhole claims it has integrated seven blockchains – Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis – and has USD 1bn in total value locked.
Per their website there are two features built on top of the generic message-passing protocol including:
- A token bridge that allows users to bridge wrapped assets between supported chains.
- An NFT bridge that allows ERC721 and SPL NFTs to be transferred between Ethereum, Binance Smart Chain, Polygon, Avalanche, Oasis, and Solana.
_____
Reactions:
The transaction that pulled out 80k ETH was actually the attacker transferring 80k ETH from Solana to Ethereum. I originally thought that the contract might've incorrectly validated the signatures on the transfer, but the signatures completely checked out.
— smartcontracts.eth (✨🔴_🔴✨) (@kelvinfichter) February 3, 2022
😭 the regret Wormhole devs must feel.
— Michelle Lai | ml_sudo (@michlai007) February 3, 2022
Also, there must be legions of black hat hackers examining GitHub repos for updates for this kind of opportunities. Wonder if this leads to fewer projects being willing to open source. https://t.co/eeVayZHhiU
so there was like zero QC testing on the code pic.twitter.com/97davrtKvS
— ᴄᴏʟin ꜱᴜʟʟɪᴠᴀɴ (@Colin_Sully) February 3, 2022
https://www.twitter.com/evan_van_ness/status/1489104772607188994What I'm waiting for? Hmm, good question.
— CoinMamba (@coinmamba) February 3, 2022
Maybe for you to do a proper audit and build a secure bridge? https://t.co/G1AvbwjAGe
the plot sifuns
— bulla (@BullishSelling) February 2, 2022
How is this credible? Apparently Wormhole is owned by Jump trading, which has a. deep pockets, and b. apparently some interest in keeping the Solana ecosystem running well. (Caveat I have no inside info on this, I'm just going off reading articles and such)
— Anthony Lee Zhang – e/acc (@AnthonyLeeZhang) February 3, 2022
yeah I retweeted this Vitalik tweet from about a month ago. It's still the Wild Wild West. People will jump across bridges if there's an economic need to even when told it's not safe. https://t.co/4Mttx8BV4T
— Miko (@mikojava) February 3, 2022
the funds were stolen from the operators of the bridge and they were refilled using their own reserves
— Udi Wertheimer (@udiWertheimer) February 3, 2022
and btw the whole thing is a tool for professional liquidity providers it’s unlikely that any retail had meaningful exposure at any point
steal 9 figs, return 80%, be a hero
— Zack Voell (@zackvoell) February 2, 2022
____
Learn more:
– Crypto Security in 2022: Prepare for More DeFi Hacks, Exchange Outages, and Noob Mistakes
– OpenSea Is Reportedly Being Exploited
– Centralization Caused Most Decentralized Finance Hacks in 2021
– Top Risks for DeFi Users and Investors According to Moody’s and Gauntlet
– Multichain Losses Reportedly Exceed USD 3M As Critical Vulnerability Remains Unsolved
– CRO Jumps as Crypto.com Releases USD 34M Hack Report
– Animoca Brands-Owned Lympo Hacked, LMT & LYM Tokens Go on Wild Ride
– LCX Loses USD 8M in a Hot Wallet Hack
– Polygon Justifies Its Quiet Hard-Fork Citing ‘Critical Vulnerability’
___
(Updated at 08:28 UTC with additional details and reactions. Updated at 14:24 UTC with the latest comments from Wormhole. Updated on February 4, at 04:34 UTC with a comment from Jump Crypto.)
