This is one of the biggest attacks on a decentralised finance platform (DeFi). The Wormhole protocol saw $320 million in WrappedEther (wETH) disappear yesterday. A look at what we know so far.
Wormhole platform suffers $320 million attack
As a reminder, Wormhole is a blockchain interoperability protocol. It allows in particular to create bridges between Ethereum and Solana. To do this, the protocol uses “Wrapped Ether”, tokens representing Ethers (ETH) that are compatible with Solana.
It is these tokens that have been targeted. The attack was announced yesterday by a communication from the project teams:
‼️ The wormhole network is down for maintenance as we look into a potential exploit.
We will provide updates here as soon as we have them.
Thank you for your patience.
– Wormhole (@wormholecrypto) February 2, 2022
They announced that the vulnerability had been fixed a few hours later, but the damage was done. 320 million dollars in wETH was stolen. The protocol was temporarily halted, and Wormhole confirmed that ETHs would be added again so that wETHs would be backed at the 1:1 ratio.
A reward for exposing the vulnerability
Wormhole sent a message to the attacker, offering a deal:
“We noticed that you were able to exploit the Solana verification process and produce tokens. We would like to offer you a whitehat deal, and a $10 million reward for finding this bug, if you return the wETH. “
The attacker made use of Wormhole’s wETH production process. Users can indeed lock their ETH into a smart contract, and receive Solana-compatible “Wrapped Ether” in return. It would seem that he has managed to produce these wETH without first locking ETH, by manipulating the validation mechanism.
This is one of the biggest attacks in the decentralised finance sector to date. It is second only to the Poly Network hack last August, which allowed the attacker to walk away with $600 million in cryptocurrencies. These were then returned to the protocol. For now, however, the Wormhole attacker has not indicated that he wishes to accept the offer.
