While 2021 was inarguably the year of DeFi hacks, 2022 is fast catching up to its predecessor. Although January witnessed its fair share of crypto-crime, February may soon put it in its shadow. Especially now that cross-chain bridge Wormhole has reportedly suffered an exploit worth over $326 million.
‼️ The wormhole network is down for maintenance as we look into a potential exploit.
📢 We will provide updates here as soon as we have them.
🙏 Thank you for your patience.
— Wormhole🌪 (@wormholecrypto) February 2, 2022
The platform, one facilitating token transfers between Ethereum, Solana, and other platforms without an intermediary, suffered a loss of 120,000 wrapped Ether (wETH) tokens on the Solana side of its bridge.
While the Wormhole team has assured the community that ETH supply will be added back on the platform to “ensure wETH is backed 1:1,” a definitive timeline on the same is yet to be released, along with how the additional ETH will be procured.
The wormhole network was exploited for 120k wETH.
ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.
We are working to get the network back up quickly. Thanks for your patience.
— Wormhole🌪 (@wormholecrypto) February 2, 2022
The hack was first pointed out by community members due to large transactions taking place on 2 February. The culprits minted 120,000 wETH on Solana, out of which they converted and redeemed 93,750 into ETH. It was worth around $254 million. The hacker used some funds to buy SportX (SX), Meta Capital (MCAP), and later, Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token (APE).
The rest of the wETH was converted into SOL and USDC on Solana, post which around 432,622 SOL now remain in the hacker’s wallet.
According to Paradigm security researcher “samczsun”, the network has reached out to the hacker’s address. In doing so, it offered the culprit a $10 million bug bounty if the funds are returned. The request read,
“This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at [email protected]”
As for the platform’s current state, its team has assured users that the vulnerability has now been patched, even if it remains non-operational as of now. While no other assets or chains served by Wormhole have yet been affected, blockchain security firm Certik believes the Terra side of the bridge could also be exposed to similar vulnerabilities.
While it is the second smart contract hack to take place this year, this episode is also the second-largest DeFi exploit to date. It only fell short of Poly Market’s exploit in August last year, which cost the platform over $600 million. Thankfully for the network, most of the funds were returned by the white hat hacker for a modest $500,000 “security bug bounty.”
Overall, however, DeFi hacks have emerged as a major concern for the industry. 2021 witnessed an all-time high – $1.3 billion worth of assets lost – a 2500% increase from 2020.