Wormhole crypto platform suffers $325 million Hack
GitHub Error Leads to Sizeable Hack
Last Wednesday, the decentralized finance (DeFi) platform Wormhole faced one of the biggest crypto hacks in history. Currently, this ranks as one of the top five crypto hacks ever. This happened when a hacker took advantage of a security flaw to take off with over $300 million. (Although the security flaw was fixed but it was not added to the live application before the hack took place).
The attack stemmed from a recent update on the project’s GitHub repository, which showed a bug fix had not been deployed to the project.
The attack happened on the 2nd of February. Users noticed the incident when a post from the official wormhole Twitter account announced maintenance for the network. Another post by Wormhole later confirmed the hack and the lost amount.
Following the attack, the Wormhole team offered the hacker around $10 million to return the $325 million stolen funds. The bounty was offered as a text in a transaction sent to the hacker’s Ethereum wallet address.
Wormhole offers a service that acts as a bridge between blockchains. Basically, it is acting as an escrow that allows one type of crypto to be deposited in order, so as to create assets in another crypto. Essentially, this enables a person holding one cryptocurrency to make trades or purchases using another cryptocurrency.
The hacker succeeded by managing to forge a signature for the transaction that enabled them to mint 120,000 wrapped ETH (wETH), with a value equivalent of more than $325 million. The hacker then exchanged the wrapped Ethereum for around $249 million in Ethereum. Wormhole mentioned that the funds were part of the platform’s Ethereum funds that were held as collateral transactions on the Solana blockchain.
A look into the open source code shows that the code that would have corrected the bug had been written, and uploaded to the Wormhole GitHub repository, but it had not yet been deployed. It was this vulnerability that was exploited by the hacker.
Matthew Garrett, a software developer mentioned that the undeployed code could have tipped off the attacker.
Another file present through the Wormhole GitHub page also mentions that a security audit was done by Neodyme, a security research company in mid 2021. It is unclear if the bug was present during the audit.
Due to how the cross-chain applications are connected, the hack left a sizable drop in the amount of wETH and ETH held in the wormhole bridge. This gave the impression that the collateral asset backing the loan suddenly varnished. The attack led to a 10 percent drop in Solana crypto value.
To mitigate the loss, the Wormhole team announced that it will add more Ethereum to cover for the loss. This means that they will need to find $325 million to cover the plug.
At this time, we don’t know where the funds will come from.