Token Bridge Wormhole Exploited for $334M

  • Since the incident, the Wormhole team has claimed to have found a fix to the exploit, which has already been deployed, and that all funds were safe.
  • The token bridge has also contacted the hacker through his Ethereum address, offering him a $10 million bug bounty if he was willing to return the stolen funds.
hacked

Shutterstock

Popular token bridge Wormhole has suffered a security exploit, which saw an attacker steal 120,000 wETH tokens (worth around $334 million) from the platform, the project said on Twitter on 3 February.

According to blockchain data, the exploit took place on the Solana side of the bridge, where the attacker was able to mint 120,000 wETH into his wallet, and then redeemed 93,750 of those tokens for ETH on the Ethereum network. The remaining wETH on Solana have been used by the hacker to acquire SportX (SX, Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club (APE) tokens.

Shortly after the accident occurred the Wormhole team paused the bridge, but has since placed a message on their website claiming that “A fix has been deployed and all funds are safe”. The team has also contacted the attacker through his Ethereum address, offering him a $10 million bug bounty if he decides to return the stolen funds.

While the project is yet to release details around the exploit, Paradigm security researcher “samczsun” noted it is likely that “Wormhole didn’t properly validate all input accounts”, allowing the attacker to “spoof guardian signatures” and mint the 120,000 wETH on Solana. Wormhole is a token bridge that enables users to send and receive crypto between different blockchains — currently supports Ethereum, Solana, Binance Smart Chain, Polygon, Avalanche, Oasis, and Terra — without the use of a centralized exchange.

Wormhole’s hack marks the second token bridge smart contract exploit in a week. Last week, an attacker was able to steal more than $80 million worth of BNB tokens on the BSC network through an exploit in the Qubit Finance’s QBridge smart contract. Similarly to Wormhole, the Qubit hacker was able to fool the protocol and mint an asset representing bridged ETH, which he then converted into BNB tokens.

Discussion
Related Coverage
Exploiter Returns 90% of “Recoverable Funds” to Euler Finance
  • The remaining $31 million worth of crypto assets were returned late on Monday, marking a successful end to Euler Finance’s recovery efforts.
  • The total value of assets returned is a little over $177 million, which is 90% of the “recoverable funds” after adjusting for the 10% bounty previously offered.
April 4, 2023, 3:32 PM
hack

Shutterstock

Hacker Steals $9M from SafeMoon
  • SafeMoon said that only its SFM:BNB liquidity pool (LP) was affected, and that it had located the suspected exploit, and patched the vulnerability.
  • The bug was allegedly introduced with the latest SafeMoon upgrade, and allowed the attacker to burn the majority of SFM in the pool, artificially inflating its price.
Euler Finance Gives $200M Exploiter an Ultimatum
  • DeFi lending protocol Euler Finance has given the exploiter 24 hours to return 90% of the $197 million he stole in a flash-loan attack on Monday.
  • If the funds were not returned in time, the protocol is ready to post a $1 million bounty on any information that could lead to the arrest of the attacker.