Cross-chain token bridge Wormhole loses $321M in largest hack of 2022

The token bridge between Ethereum and Solana saw 120K WITH tokens removed from the platform and distributed between the hacker's Solana and ETH wallets.

Cross-chain token bridge Wormhole loses $321M in largest hack of 2022

The Wormhole token bridge experienced security exploit today.  The loss of 120,000 wETH tokens ($321 million) from the platform. 

A wormhole is a token bridge that allows users to exchange crypto between Ethereum, Solana, BSC, Polygon, AValanche, Oasis, and Terra without the use of a centralized exchange (CEX). This is the largest crypto hack of 2022 and the second largest DeFi hack to date. The wormhole team has offered a $10M bug bounty for the return of the funds. 

The hack took place on the Solana side of the bridge and there are fears Wormhole's bridge to Terra could be similarly vulnerable. 

The Wormhole team has assured the community that its ETH supply would be replenished to "ensure wETH is backed 1:1," but there is no word yet on where those funds will come from or when, 

The attacker minted 120,000 wETH (WETH) on Solana, the hack took place at 6:24 pm UTC on Feb 2. redeemed 93,750 WETH for ETH worth $254 million onto the Ethereum network at 6:28 pm UTC. The hacker has since used some funds to buy Sportx(SX), Meta Capital(MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token (APE). 

The remaining WETH was swapped for SOL and USDC on Solana. The hacker's Solana wallet presently holds 432,6662 SOL($44 million).

No other assets or chains served by WHormhole have been reported affected, but smart contract auditing firm Certik said in a report today that "Wormhole's bridge to the Terra blockchain may share the same vulnerability as their Solana bridge."

The Wormhole team contacted the hacker through their Ethereum address to offered to let the hacker keep $10 million worth of funds stolen if the remaining funds are returned. 

"This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We'd like to offer you a whitehat agreement and present you a bug bounty of $10 million for exploit details, and returning the wETH you've minted. you can reach out to us at [email protected]"

At the time wETH tokens sent across the bridge are not yet redeemable while the Wormhole team attempts to fix the exploit. 

This is the second smart contract exploit on a token bridge in a week. On Jan 28, Qubit Finance's QBridge was exploited for $80 million on BSC. it is also reminiscent of the Poly Network hack last August wherein $610 million in crypto was stolen off the platform. nearly all of the funds were returned by the whitehat hacker. 

The frequency of smart contract hacks on token bridges serves to validate Vitalik Buterin's Jan 7 warning that there are "fundamental security limits of bridges." The Ethereum co-founder's admonition was within the context of a 51% attack on Ethereum, but his advice was well-timed as the pointed out the general vulnerability apparent on bridges that send tokens across layer-1 blockchains.  

Read: Qubit Finance lost $80 million worth of crypto assets in QBridge protocol hack