The Wormhole token bridge experienced a security exploit on Wednesday, resulting in the loss of 120,000 Wrapped Ether (wETH) tokens ($321 million) from the platform.
Wormhole is a token bridge that allows users to send and receive crypto between Ethereum, Solana, Binance Smart Chain (BSC), Polygon, Avalanche, Oasis and Terra without the use of a centralized exchange. This is the largest crypto hack of 2022 so far and the second-largest decentralized finance hack to date. The Wormhole team has offered a $10-million bug bounty for the return of the funds.
The hack took place on Solana’s side of the bridge, and there are fears that Wormhole’s bridge to Terra could be similarly vulnerable.
The Wormhole team has assured the community that its Ether (ETH) supply would be replenished to “ensure wETH is backed 1:1,” but there is no word yet on where those funds will come from or when.
The hack took place at 6:24 pm UTC on Wednesday. The attacker minted 120,000 wETH on Solana, then redeemed 93,750 wETH for ETH worth $254 million onto the Ethereum network at 6:28 pm UTC. The hacker has since used some funds to buy SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK) and Bored Ape Yacht Club Token (APE).
No other assets or chains served by Wormhole have been reported affected, but smart contract auditing firm Certik said in a report today that “it is possible that Wormhole’s bridge to the Terra blockchain shares the same vulnerability as their Solana bridge.”
The Wormhole team contacted the hacker through their Ethereum address, offering to let the hacker keep $10 million worth of funds stolen if the remaining funds are returned.
“This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at email@example.com”
As of the time of writing, wETH tokens sent across the bridge are not yet redeemable, while the Wormhole team attempts to fix the exploit.
This is the second smart contract exploit on a token bridge in a week. On Friday, Qubit Finance’s QBridge was exploited for $80 million on BSC. It is also reminiscent of the Poly Network hack last August wherein $610 million in crypto was stolen off the platform. In that case, nearly all of the funds were returned by the whitehat hacker.
The frequency of smart contract hacks on token bridges serves to validate Vitalik Buterin’s Jan. 7 warning that there are “fundamental security limits of bridges.” The Ethereum co-founder’s admonition was within the context of a 51% attack on Ethereum, but his advice was well-timed as he pointed out the general vulnerability apparent on bridges that send tokens across layer-1 blockchains.