A vulnerability was discovered on the Wormhole token bridge on Wednesday, resulting in the loss of 120,000 encapsulated Ether (wETH) ($321 million) from the platform.
Wormhole is a token bridge that allows users to send and receive cryptocurrencies between Ethereum, Solana, Binance Smart Chain (BSC), Polygon, Avalanche, Oasis, and Terra without using a central exchange. It is the largest cryptocurrency hack of 2022 to date and the second largest decentralized financial hack to date. The Wormhole team has offered a $10 million bounty to compensate.
The burglary occurred on the side of the Solana Bridge, and it is feared that Terra’s Wormhole Bridge may be vulnerable.
The Wormhole team has confirmed to the community that Ether (ETH) supplies will be replenished in order to “provide 1:1 support,” but there is no word yet on where and when the funds will be.
The hack occurred at 18:24 UTC on Wednesday. The attacker hit 120,000 hours on Solana and then exchanged 93,750 for ETH worth $254 million on the Ethereum network at 18:28 UTC. The hacker has since used some of the funds to buy SportX (SX), Meta Capital (MCAP), and finally used Crypto Karma (FUCK) and Bored Ape Yacht Club Token (APE).
The remaining WETH was exchanged for Solana (SOL) and USD Coin (USDC) for Solana. Solana’s portfolio currently owns 432,662 Solana ($44 million).
No other assets or chains operated by Wormhole were affected, but smart contract auditing firm Certik stated in a report today that “it is possible that the Wormhole bridge to Terra blockchain has the same vulnerabilities as their Solana bridge.” “.
The Wormhole team contacted the hacker via their Ethereum address, offering to let the hacker keep $10 million in stolen funds in case the remaining funds are returned.
“This is a Wormhole Deployer: We noticed that you were able to use Solana VAA and Mint verification tokens. We would like to provide you a white paper and award you a $10 million reward for your usage details and a refund with you generated. You can contact us at email@example.com “.
At the time of writing, it is not possible to redeem WETH tokens sent over the bridge while the Wormhole team is trying to fix the vulnerability.
This is the second smart contract use on the token bridge in a week. On Friday, QBridge from Qubit Finance of BSC was used for $80 million. It is also reminiscent of the Poly Network hack in August of last year, when $610 million in cryptocurrency was stolen from the platform. In this case, the white hat hacker returned almost all of the money.
Related: $2.5 billion in stolen BTC wakes up after Bitfinex hack
Frequent smart contract violations on token bridges confirm Vitalik Buterin’s January 7 warning that there are “fundamental limitations to the integrity of bridges”. The Ethereum co-founder’s reservation was related to a 51% attack on Ethereum, but his advice was timely when he pointed out an apparent common security vulnerability in bridges that send tokens across Layer 1 block chains.