en
Back to the list

Here's How DeFi Project Lost $320 Million Worth of Ether

source-logo  u.today 03 February 2022 05:00, UTC

Wormhole, a bridge that links Solana with other popular blockchains, has been robbed of $320 million worth of wrapped Ethereum (wETH), suffering the second-biggest hack in the decentralized finance space on record.

The project quickly acknowledged the incident in a tweet.

Wormhole developers have come up with a whitehat agreement for the hacker, offering them a $10 million bounty.

As reported by U.Today, PolyNetwork, which suffered the biggest DeFi hack to date, managed to successfully return all of its stolen funds in August after weeks of negotiation with the attacker.

An expensive bug

In a recent thread, developer Kelvin Fichter explains that the attacker minted wETH on Solana and withdrew it to the Ethereum blockchain.

Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here's how it happened.

— smartcontracts (@kelvinfichter) February 3, 2022

The hacker was able to exploit a bug in Wormhole's verification function, using a fake system program to obfuscate the fact that the signature check had not been executed.

After fraudulently tricking the system into minting wETH on Solana, the attacker bridged it back to Ethereum.

Wormhole says that the vulnerability has now been patched.

A prescient warning?

Ethereum co-founder Vitalik Buterin recently warned about the security vulnerabilities of centralized cross-chain bridges in a lengthy Reddit post published last month, claiming that they were at great risk of a 51% attack.

Jonathon Wu, growth lead at Aztec Network, however, points to the fact that the Wormhole hack boils down to a smart contract bug, which is why Buterin's warning might not apply in that particular case.

Vitalik was saying "it's a lot easier to 51% attack a bridging protocol's 19-node validator set than an L1's 30,000 nodes, and if the prize is big enough, it could happen."

He didn't say that multi-chain bridges are at a greater risk of smart contract bugs than anything else.

— jonwu.eth (@jonwu_) February 3, 2022
u.today