Wormhole, a popular cross-blockchain bridge that is well known for connecting the Ethereum and Solana blockchains, has suffered a security exploit that has resulted in the loss of 120,000 wETH tokens, which at Ethers, current price, stands at $318 million, from the platform.
The project’s official Twitter handle confirmed in a tweet, that the bridge is currently down while the team investigates a potential exploit, as a message on the official website simply reads, “Portal is Temporarily Unavailable.”
Wormhole is a token bridge that allows users to send and receive crypto between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without the use of a centralized exchange (CEX).
What you should know
- According to reports, the hack took place on the Solana side of the bridge and there are fears Wormhole’s bridge to Terra could be similarly vulnerable. The attacker minted 120,000 wETH (WETH) on Solana, then redeemed 93,750 WETH for ETH worth $248 million onto the Ethereum network. The hacker has since used some funds to buy SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token (APE).
- The remaining WETH was swapped for SOL and USDC on Solana. The hacker’s Solana wallet currently holds 432,662 SOL worth 42.4 million.
- The wormhole hack is currently the biggest crypto hack of 2022 and the second largest DeFi hack to date. The Wormhole team is now attempting to negotiate with the hacker as the team has offered a $10 million bug bounty for the return of the funds.
- The hack has raised alarm in DeFi circles because it now means ETH that has been bridged to Solana may be unbacked. Cross-blockchain bridges often work by taking an asset, such as ETH, and locking it in a contract to issue a parallel asset on the bridged chain.
- However, the Wormhole team has assured the community that its ETH supply would be replenished to “ensure wETH is backed 1:1,” but there is no word yet on where those funds will come from or when.
- They stated, “The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience.”
- In an interview with CoinDesk, George Harrap, founder of Solana DeFi platform Step Finance, said he expects Jump Capital, the firm that purchased Wormhole developer Certus One in August 2021, to step in to backstop the hacked ETH. If not, he added, a number of Solana-based platforms that accept ETH as collateral may now be partially insolvent.
- He stated, “If nobody backs it and the coins are truly gone then Wormhole ETH is worth 0 and everyone who has a balance of it becomes worthless, DeFi protocols, users, everyone.”
This is the second smart contract exploit on a token bridge within 7 days. Qubit Finance’s QBridge was also exploited for $80 million on BSC on the 28th of January 2022.
The frequency of smart contract hacks on token bridges serves to validate Vitalik Buterin’s warning that there are “fundamental security limits of bridges.” The Ethereum co-founders admonition was within the context of a 51% attack on Ethereum, but his advice was well-timed as he pointed out the general vulnerability apparent on bridges that send tokens across layer-1 blockchains.