Wormhole, a protocol for connecting different blockchains, lost around $320 million worth of Ether (ETH), thanks to poorly designed code.
“The wormhole network was mined for 120,000 wETH,” the DeFi biz said. by Twitter Wednesday.
“wETH” stands for “wrapped Ether”, an intermediate token used to transfer Ether across blockchains built for different cryptocurrencies. Wormhole’s technology serves as a bridge that connects the Solana blockchain to various other “decentralized finance” or DeFi blockchains like Avalanche, Binance Smart Chain, Ethereum and others.
The loss represents the fourth largest cryptocurrency hack to date, according to UK analysts at black channel Elliptic.
These organizations behind Wormhole said they will be adding more ETH in the coming hours to ensure that wETH is backed by ETH. And on Thursday, as if by magic, Wormhole proclaimed“All funds have been restored and Wormhole is back.”
But the firm used the word “restored” when “replaced” would have been more accurate. The stolen funds have not been recovered from the thief; the looted crate was instead filled by benefactor Jump Crypto, which last year bought Certus One, the company that developed Wormhole.
“@JumpCryptoHQ believes in a multi-channel future and that @WormholeCrypto is critical infrastructure,” said Jump Crypto by Twitter. “That’s why we replaced 120,000 ETH to make community members whole and support Wormhole now as it continues to grow.”
Wormhole also offered thieves who stole the digicash a $10 million “white hat” reward if the funds are returned. There’s no word yet on a move on that front.
Like an anonymous wag Put the“So the slot machine paid for a lucky winner and the house covered the losses from profits made elsewhere.”
The hack appears to have been made possible by a signature verification feature in Wormhole’s Solana bridge code who did not verify any signature.
Paradigm security researcher “samczsun”, after exploring the relevant code in a Twitter thread, summed up the attack scenario: “Wormhole failed to properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they brought back 93,750 (~250 million dollars) to Ethereum.”
Matthew Garrett, Security Researcher speculatebased on the delay between the pull request with the fix and its merge into the code base, that the attacker spotted the code change and engineered an exploit before the fixes could be deployed.
“So what is it looks as it was an obfuscated critical security change was released, someone found out what the vulnerability was and then walked out with all the money before the patch was deployed,” Garrett said.
The register asked Wormhole if that was correct, but we got no response. ®