Hacker stolen $320M from Wormhole exploit

05 Feb 2022 Heists

A hacker has recently stolen 120,000 ETH (worth $320 million) from Wormhole, which is a bridge between different blockchains. Specifically, the ETH was stolen between the Solana and Ethereum chains.

What happened?

On Feb 2, an attacker found a signature verification vulnerability, and minted himself 120 Wormhole-wrapped Ether on Solana. He then bridged 93,750 of these tokens to Ethereum and store in this address.

Embarrassingly, the attacker found the exploit only because the wormhole repository has a commit to patch the vulnerability, but without deploying it yet. It was a deprecated Solana sys call. So before wormhole deploys it, the attacker took the opportunity to exploit it. Ouch.

They offered him $10M to return the ETH, in the following transaction:

hmm $10M for $320M deal..

He didn’t take it.

How that affects investors?

I was personally affected as I invested $1,000 into a ETH-SOL liquidity pool on Raydium.

Once the ETH was stolen, it basically makes the weWETH (wormhole ETH) on Solana worthless, because they are not backed 1-1 on the Ethereum side.

Shortly after the ETH was stolen, investors withdraw from the pool, swap all the weWETH to other tokens, fearing they will become worthless.

The TVL dropped by half!

What did I do? I didn’t withdraw. I have faith someone in Solana will pay for the mistake, because they can’t let the system collapse. I know Sam Bankman-Fried’s FTX recently raise $400M, so maybe..

Jump Crypto foot the bill

Instead, this white knight replaced the 120k ETH.

@JumpCryptoHQ believes in a multichain future and that @WormholeCrypto is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.

And they now offer $10,000,000 reward for any information leading to the arrest and conviction of the attackers!

Whose fault?

Largely Wormhole themselves. FYI their incident report.

They patched and pushed the commit to the public repo, but without thinking how an attacker could exploit the vulnerability in the meanwhile (before it was actually deployed).

This is like scoring own goal.

A lesson on risks

Always remember: there are risks while blockchain technology is still young, with rapid changes, and apps built on top of it will have bugs.

This $320M lesson is a good reminder.

Do stay invested, just not all in 1 risky basket.