Popular token bridge Wormhole has suffered a security exploit, which saw an attacker steal 120,000 wETH tokens (worth around $334 million) from the platform, the project said on Twitter on 3 February.
According to blockchain data, the exploit took place on the Solana side of the bridge, where the attacker was able to mint 120,000 wETH into his wallet, and then redeemed 93,750 of those tokens for ETH on the Ethereum network. The remaining wETH on Solana have been used by the hacker to acquire SportX (SX, Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club (APE) tokens.
Shortly after the accident occurred the Wormhole team paused the bridge, but has since placed a message on their website claiming that “A fix has been deployed and all funds are safe”. The team has also contacted the attacker through his Ethereum address, offering him a $10 million bug bounty if he decides to return the stolen funds.
While the project is yet to release details around the exploit, Paradigm security researcher “samczsun” noted it is likely that “Wormhole didn’t properly validate all input accounts”, allowing the attacker to “spoof guardian signatures” and mint the 120,000 wETH on Solana. Wormhole is a token bridge that enables users to send and receive crypto between different blockchains — currently supports Ethereum, Solana, Binance Smart Chain, Polygon, Avalanche, Oasis, and Terra — without the use of a centralized exchange.
Wormhole’s hack marks the second token bridge smart contract exploit in a week. Last week, an attacker was able to steal more than $80 million worth of BNB tokens on the BSC network through an exploit in the Qubit Finance’s QBridge smart contract. Similarly to Wormhole, the Qubit hacker was able to fool the protocol and mint an asset representing bridged ETH, which he then converted into BNB tokens.