Token Bridge Wormhole Exploited for $334M

  • Since the incident, the Wormhole team has claimed to have found a fix to the exploit, which has already been deployed, and that all funds were safe.
  • The token bridge has also contacted the hacker through his Ethereum address, offering him a $10 million bug bounty if he was willing to return the stolen funds.
hacked

Shutterstock

Popular token bridge Wormhole has suffered a security exploit, which saw an attacker steal 120,000 wETH tokens (worth around $334 million) from the platform, the project said on Twitter on 3 February.

According to blockchain data, the exploit took place on the Solana side of the bridge, where the attacker was able to mint 120,000 wETH into his wallet, and then redeemed 93,750 of those tokens for ETH on the Ethereum network. The remaining wETH on Solana have been used by the hacker to acquire SportX (SX, Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club (APE) tokens.

Shortly after the accident occurred the Wormhole team paused the bridge, but has since placed a message on their website claiming that “A fix has been deployed and all funds are safe”. The team has also contacted the attacker through his Ethereum address, offering him a $10 million bug bounty if he decides to return the stolen funds.

While the project is yet to release details around the exploit, Paradigm security researcher “samczsun” noted it is likely that “Wormhole didn’t properly validate all input accounts”, allowing the attacker to “spoof guardian signatures” and mint the 120,000 wETH on Solana. Wormhole is a token bridge that enables users to send and receive crypto between different blockchains — currently supports Ethereum, Solana, Binance Smart Chain, Polygon, Avalanche, Oasis, and Terra — without the use of a centralized exchange.

Wormhole’s hack marks the second token bridge smart contract exploit in a week. Last week, an attacker was able to steal more than $80 million worth of BNB tokens on the BSC network through an exploit in the Qubit Finance’s QBridge smart contract. Similarly to Wormhole, the Qubit hacker was able to fool the protocol and mint an asset representing bridged ETH, which he then converted into BNB tokens.

Discussion
Related Coverage
Osmosis Suffers $5M Liquidity Pool Exploit
  • Osmosis’ bug allowed users to add liquidity to any of its liquidity pools, and immediately withdraw 150% of their initial investment.
  • The DEX noted that four individuals were responsible for 95% of the stolen funds, and that two have already volunteered to return $2 million.
June 9, 2022, 1:02 PM
exploit

Shutterstock

Beanstalk Farms Loses $182M Following Exploit
  • A flash loan allowed the attacker to obtain enough Beanstalk governance tokens to pass two proposals, enabling him to drain the protocol’s funds.
  • The malicious entity was able to steal 24,830 ETH and 36 million BEAN tokens, which were then laundered through TornadoCash.
Coinbase Wallet Adds Support for Solana Tokens
  • Coinbase users can now use the exchange’s self-custody wallet to store, send, and receive SOL and Solana-based tokens.
  • The exchange also revealed it was looking to add wallet support for Solana-based NFTs and dApps in the near future.