
Here’s How DeFi Project Lost $320 Million In Ether
Content
An expensive bugA prescient warning?
Wormhole, a bridge connecting Solana to other popular blockchains, has been robbed of $320 million worth of packaged Ethereum (wETH), which has undergone the second-largest hack in the decentralized financial space.
The project quickly recognized the incident in a tweet.
Wormhole developers have come up with a whitehat deal for the hacker, where they get a $10 million bounty.
As reported by U.Today, PolyNetwork, which was dealing with the largest DeFi hack to date, managed to return all of its stolen funds in August after weeks of negotiations with the attacker.
An expensive bug
In a recent thread, developer Kelvin Fichter explains that the attacker hit wETH on Solana and pulled it back to the Ethereum blockchain.
Agree. I discovered the Solana x Wormhole Bridge hack. ~$300 million worth of ETH drained from the Wormhole Bridge on Ethereum. Here’s how it happened.
— smart contracts (@kelvinfighter) February 3, 2022
The hacker was able to exploit a bug in Wormhole’s verification feature by using a fake system program to cover up the fact that the signature check had not been performed.
After fraudulently tricking the system into hitting wETH on Solana, the attacker brought it back to Ethereum.
Wormhole says the vulnerability has since been patched.
A prescient warning?
Ethereum Co-Founder Vitalik Buterin recently warned about the security vulnerabilities of centralized cross-chain bridges in a lengthy Reddit post published last month, claiming they were at high risk of a 51% attack.
However, Jonathon Wu, growth leader at Aztec Network, points out that the Wormhole hack amounts to a smart contract bug, so Buterin’s warning may not apply in that particular case.
Vitalik said, “It’s a lot easier to 51% attack the 19-node validator set of a bridging protocol than the 30,000 nodes of an L1, and if the price is big enough, it could happen.”
He didn’t say that multi-chain bridges are at greater risk of bugs in smart contracts than anything else.
— jonwu.eth (@jonwu_) February 3, 2022