$324 million stolen from blockchain platform Wormhole

Wormhole, a popular blockchain bridge, confirmed on Wednesday evening that hackers stole crypto-assets worth $324 million.

The platform serves as a bridge between different blockchains and allows users to transfer cryptocurrency. The company confirmed in a series of Tweets that 120k wETH was stolen from the platform and the network was down for maintenance as they looked into a potential exploit.

The wormhole network was exploited for 120k wETH.

ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.

We are working to get the network back up quickly. Thanks for your patience.

— Wormhole🌪 (@wormholecrypto) February 2, 2022

The platform’s website has “Portal is Temporarily Unavailable” in block letters but no other message. Researchers found evidence of an 80,000 ETH transfer from Wormhole as well as another 40,000 of ETH being sold by the hacker on Solana. 

Elliptic’s Tom Robinson shared a message from Certus One, the company behind Wormhole, to the hacker offering $10 million for the exploit details and return of all the cryptocurrency. 

The company said the hacker exploited “the Solana VAA verification and mint tokens” in the message.

“The exploit appears to have allowed the attacker to mint 120,000 wrapped ETH on the Solana blockchain, 93,750 ETH of which was then transferred to the Ethereum blockchain,” Elliptic explained. 

By around 8 pm EST, the company said the vulnerability was patched and the network was being restored. Multiple researchers released detailed threads explaining the vulnerability the hacker exploited. 

tl;dr – Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.

— samczsun (@samczsun) February 3, 2022

Jump Capital, which purchased Certus One in August 2021, did not respond to requests for comment. The company also invested in crypto platform AscendEX, which suffered its own $77.7 million hack on December 11. Just five days ago, Qubit Finance took to Twitter to beg hackers to return more than $80 million that was stolen from them. 

The recent hacks continue a run of attacks on DeFi platforms that have occurred over the last year. Chainalysis said at least $2.2 billion was outright stolen from DeFi protocols in 2021.  

The attack on Wormhole is the second largest reported hack after Poly Network saw $611 million stolen from their platform in August. Bitmart lost $196 million in early December.