Token Bridge Wormhole Exploited for $334M

  • Since the incident, the Wormhole team has claimed to have found a fix to the exploit, which has already been deployed, and that all funds were safe.
  • The token bridge has also contacted the hacker through his Ethereum address, offering him a $10 million bug bounty if he was willing to return the stolen funds.
hacked

Shutterstock

Popular token bridge Wormhole has suffered a security exploit, which saw an attacker steal 120,000 wETH tokens (worth around $334 million) from the platform, the project said on Twitter on 3 February.

According to blockchain data, the exploit took place on the Solana side of the bridge, where the attacker was able to mint 120,000 wETH into his wallet, and then redeemed 93,750 of those tokens for ETH on the Ethereum network. The remaining wETH on Solana have been used by the hacker to acquire SportX (SX, Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club (APE) tokens.

Shortly after the accident occurred the Wormhole team paused the bridge, but has since placed a message on their website claiming that “A fix has been deployed and all funds are safe”. The team has also contacted the attacker through his Ethereum address, offering him a $10 million bug bounty if he decides to return the stolen funds.

While the project is yet to release details around the exploit, Paradigm security researcher “samczsun” noted it is likely that “Wormhole didn’t properly validate all input accounts”, allowing the attacker to “spoof guardian signatures” and mint the 120,000 wETH on Solana. Wormhole is a token bridge that enables users to send and receive crypto between different blockchains — currently supports Ethereum, Solana, Binance Smart Chain, Polygon, Avalanche, Oasis, and Terra — without the use of a centralized exchange.

Wormhole’s hack marks the second token bridge smart contract exploit in a week. Last week, an attacker was able to steal more than $80 million worth of BNB tokens on the BSC network through an exploit in the Qubit Finance’s QBridge smart contract. Similarly to Wormhole, the Qubit hacker was able to fool the protocol and mint an asset representing bridged ETH, which he then converted into BNB tokens.

Discussion
Related Coverage
Ankr’s Exploit Enabled an Attack on Stablecoin Issuer Helio
  • A hacker targeted a vulnerability in DeFi protocol Ankr to mint trillions of aBNBc tokens, which he eventually swapped for 5 million USDC.
  • The event caused the price of aBNBc to plummet by 99%, which allowed another individual to steal $15.5 million from stablecoin issuer Helio as it did not have up-to-date pricing on aBNBc.
December 2, 2022, 1:35 PM
hack

Shutterstock

MetaMask Launches Bridge Aggregator Feature
  • MetaMask Bridges was designed to aggregate multiple blockchain bridges in one place, making it easier and more secure for users to transfer their assets from one network to another.
  • The new feature currently supports the Ethereum, Avalanche, BNB Chain, and Polygon blockchains, as well as the Connext, Hop, Celer cBridge, and Polygon Bridge.
Ethereum Dapps to Appear on Solana Through Neon EVM
  • Neon Labs’ Ethereum Virtual Machine (EVM) solution will be launched on 12 December, giving Ethereum-based dapps access to Solana’s scalability and liquidity.
  • Neon EVM adopts the developer tools and compute layer present on Ethereum, making it easier for developers looking to expand to Solana.