A cryptocurrency service in the emerging decentralized finance space, or DeFi, was exploited by hackers for around $320 million in one of the largest crypto heists of all time.
Hackers exploited the Wormhole DeFi platform for 120,000 wrapped ether (wETH) worth roughly $320 million from the Wormhole DeFi platform on Wednesday, the service announced in a tweet. According to blockchain records, 80,000 of the stolen wETH was sent to the attacker in a single transaction, costing $128 in blockchain fees.
Videos by VICE
Wormhole was developed by Certus One, and exists to bridge tokens between Solana, Ethereum, and other blockchains by locking them in a smart contract and minting “wrapped” tokens. After the hack, Twitter users speculated about the impact the hack might have across the DeFi ecosystem, since ether on Wormhole backs the corresponding bridged ether on Solana. According to Wormhole, “ETH will be added over the next hours to ensure wETH is backed 1:1.” After the hack, Solana’s price took a dip even as Wormhole said it had patched the vulnerability.
Wormhole initially acknowledged a “potential exploit” on Twitter and said the service was “down for maintenance” while it investigated. As news of the hack began circulating, people started spamming the attacker’s address.
One person sent the attacker a single token called FUCK, while someone with the Ethereum vanity address “hackerplsdonate.eth” has so far spammed the address with 10 separate transactions. “Please donate ethereum, only 100 eth would make me be able to pay off my debts,” they wrote in a message attached to a transaction.
In a message posted on the Ethereum blockchain, an address seemingly connected to Certus One offered the hackers a bounty of $10 million if they return the money. The message was spotted by Tom Robinson, the chief scientist at blockchain analysis firm Elliptic, and the address it came from interacts regularly with Wormhole smart contracts. Motherboard could not confirm the connection further.
“This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens,” the message read. “We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at contact@certus.one.”
Do you have any information about this hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com
Certus One and its parent company Jump Crypto did not immediately respond to a request for comment.
The Wormhole hack is another black eye for the DeFi ecosystem, which is a subset of the cryptocurrency industry focused on more complex forms of investing that simply buying and holding; “staking” and “liquidity farming” are common ways of making a buck, and cross-chain protocols like Wormhole have become a core part of that emerging ecosystem. They’ve also become targets for hackers.
“Bridge projects, ‘moving’ tokens and coins from one blockchain to another, seems to be more vulnerable to attacks as they don’t move the tokens themselves, but instead move data across chains that indicate such transfer is due,” Tal Be’ery, a cybersecurity expert and the CTO of the crypto wallet app ZenGo, told Motherboard in an online chat. “If there is an error or vulnerability there, the attacker can ‘print’ money.”
Last month, cross-chain protocol Multichain was exploited by multiple hackers who stole $3 million from users. The project successfully recovered funds from a self-proclaimed “white hat” hacker after the company exchanged messages with the hacker on the blockchain. Last year, a hacker stole around $600 million from the cross-blockchain cryptocurrency platform Poly Network, and later returned it after the company posted several messages on the blockchain calling the hacker “Mr. White Hat” and even offering them a job. In the end, the hacker actually returned all the money.
Will Wormhole be as lucky?
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.