Hackers drain more than $319 million from Wormhole cross-chain bridge pool
On the night of February 3, the Wormhole cross-chain protocol on Solana came under a hacker attack. The attackers exploited the vulnerability and withdrew 120,000 WETH (over $319 million at the time of writing).
— Wormhole🌪 (@wormholecrypto) February 3, 2022
The developers said they had closed the vulnerability and directed additional ETH to the pool to support liquidity. For the duration of the investigation, the team closed access to the service.
The Wormhole team said that we have “restored all funds” and opened user access to the bridge. The report on the incident will be published later.
The team is working on a detailed incident report and will share it asap
18:26 UTC — contract was exploited for 120k ETH
00:33 UTC — vulnerability was patched
13:08 UTC — ETH contract has been filled and all wETH are backed 1:1
13:29 UTC — the Portal (token bridge) is back up
— Wormhole🌪 (@wormholecrypto) February 3, 2022
Sources CoinDesk and The Block say Jump Trading provided funding to the Wormhole team to restore the lost ETH.
In August 2021 Jump Trading acquired the infrastructure firm Certus One, which is behind the development of the cross-chain protocol.
Jump Trading confirmed that it provided funding to compensate Wormhole losses. The company noted that the cross-chain bridge is a “vital part of the infrastructure.”
.@JumpCryptoHQ believes in a multichain future and that @WormholeCrypto is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.
— Jump Crypto 🦬 (@JumpCryptoHQ) February 3, 2022
CertiK explained that Wormhole’s smart contracts did not perform a full verification of input data correctness, which allowed transactions with incorrect variables to be initiated. Thanks to this vulnerability, the hackers could mint WETH to their own address.
In this case, the spoofed data will be passed and processed.
The mint authority for the Wormhole ETH is a PDA and will sign the “mint” instruction.
Lastly, the “invoked_seeded instr” will be successfully triggered and mint Wormhole ETH to the attacker. pic.twitter.com/YtoPZ2i5bo
— CertiK Security Leaderboard (@CertiKCommunity) February 3, 2022
As noted in January 2022, Vitalik Buterin described cross-chain bridges as vulnerable due to concerns about asset security.
Read ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analysis.
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!