The Wormhole Token Bridge was hit by a security breach today, resulting in the loss of 120,000 wETH tokens ($321 million) on the platform.
Wormhole is a token bridge that allows users to send and receive cryptocurrencies between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without using a centralized exchange (CEX). This is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The Wormhole team has offered a $10 million bounty for the return of the funds.
The hack took place on the Solana side of the bridge and there are fears that the bridge from Wormhole to Terra could be similarly vulnerable.
The Wormhole team has assured the community that the ETH stockpile will be replenished to “ensure wETH is secured 1:1,” but it is not yet known where those funds will come from or when.
The hack took place at 18:24 UTC on February 2. The attacker minted 120,000 WETH (WETH) on Solana and then exchanged 93,750 WETH for $254 million worth of ETH on the Ethereum network at 18:28 UTC. The hacker has since used some of the money to buy SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK) and Bored Ape Yacht Club Token (APE).
The remaining WETH was swapped for SOL and USDC on Solana. There are currently 432,662 SOL ($44 million) in the hacker’s Solana wallet.
No other assets or chains serviced by Wormhole have been reported to be affected, but smart-contract audit firm Certik said in a report today that “it is possible that Wormhole’s bridge to the Terra blockchain has the same vulnerability as the Solana bridge.”
The Wormhole team contacted the hacker through his Ethereum address and offered to keep $10 million worth of stolen funds if the rest of the funds were returned.
“This is Wormhole Deployer: We have determined that you have managed to exploit the Solana VAA verification and mint tokens. We are offering you a whitehat agreement and offering a $10 million bounty for details on the exploit and the return of the WETH you minted. You can reach us at [email protected].
At the time of writing, WETH tokens sent across the bridge cannot yet be redeemed while the Wormhole team tries to fix the vulnerability.
This is the second smart contract exploit on a token bridge in a week. On Jan. 28, Qubit Finance’s QBridge was exploited for $80 million on BSC. It is also reminiscent of the Poly Network hack last August wherein $610 million in crypto was stolen off the platform. In that case, nearly all of the funds were returned by the whitehat hacker.
The frequency of smart contract hacks on token bridges serves to validate Vitalik Buterin’s Jan. 7 warning that there are “fundamental security limits of bridges.” The Ethereum co-founder’s admonition was within the context of a 51% attack on Ethereum, but his advice was well-timed as he pointed out the general vulnerability apparent on bridges that send tokens across layer-1 blockchains.