Key takeaways:
- Wormhole Network, a DeFi bridge connecting Solana and Ethereum was exploited for more than $300 million
- The hacker was able to mint 120,000 wETH (worth $313M at press time) by falsifying authentication in Solana’s smart contract code
- The Wormhole team is offering a $10 million bounty in hopes the attacker returns the stolen funds
Smart contract exploit leads to a $300 million attack on the Wormhole Network
Wormhole, a blockchain bridge allowing transfers between Solana and Ethereum has been a victim of one of the largest crypto hacks ever. In the early hours of Wednesday, the Wormhole team took to Twitter to share the unfortunate news that its blockchain interoperability solution “was exploited for 120k wETH.”
The team immediately patched the vulnerability in the smart contract code that made the attack possible and stated they are hard at work to bring the network online “as soon as possible.”
The magnitude of the hack has sparked massive investigation efforts by a number of blockchain experts and ignited a heated discussion over the Solana network security. Kelvin Ficther, a software engineer working at Uniper who goes by a Twitter moniker “smartcontracts”, was among the first to piece together the events that led to more than $300 million worth of stolen crypto funds. He documented his findings in a Twitter thread.
According to Ficther, the attacker took advantage of Solana’s approach to smart contract validation that allowed it to deposit 0.1 ETH and mint 120,000 wrapped ETH without drawing the attention of the network’s security systems. The attacker was able to falsify the signature of network guardians in order to create new wETH, without having to deposit an equivalent amount of ETH.
“After that point, it was game over. The attacker made it look like the guardians had signed off on a 120k deposit into Wormhole on Solana, even though they hadn’t. All the attacker needed to do now was to make their “play” money real by withdrawing it back to Ethereum.”
Ficther added that the attacker made a single withdrawal of roughly 80,000 ETH and an additional, approximately 10,000 ETH withdrawal shortly after. The address connected with the attack currently holds 93,750 ETH, worth $243.5 million at current market rates. In hopes of reclaiming the stolen funds, the Wormhole team is offering a $10 million reward to the attacker if he comes forward and returns the loot.
Last August, Poly Network became a victim of one of the largest crypto attacks in history, when an anonymous hacker made away with $612 million worth of DeFi assets. Luckily for the Poly Network team and users affected by the massive exploit, the attacker turned out to be a “white hat” hacker and ended up returning the stolen funds. We can only hope that Wormhole’s unfortunate situation resolves in an equally amicable manner.
The price of Solana’s native SOL token took a beating once the news of the hack became widely publicized. In a matter of 8 hours SOL’s value diminished by more than 12%.