The Wormhole token bridge between Solana and Ethereum experienced a security breach, leading to wETH worth $321 million stolen from the platform.
On Wednesday, February 2, the team of the interoperability protocol Wormhole reported a breach that resulted in the loss of 120,000 wrapped Ether (wETH) tokens, worth around $321 million.
Wormhole acts as a token bridge binding seven high-value chains – Avalanche, BSC, Ethereum, Polygon, Oasis, Solana, and Terra. It does not require the use of a centralized exchange (CEX).
Did you know?
Subscribe - We publish new crypto explainer videos every week!
NEAR Protocol Explained: Beginner's Guide to NEAR (Animated)
The Wormhole breach is the biggest crypto hack in 2022 so far and the second biggest DeFi hack ever. A bug bounty has been set at $10 million for anyone who manages to return the funds.
The hack occurred on Solana’s side of the bridge. There are concerns that similar issues and exploits could be possible on the Terra side as well.
The team stated that ETH would be added “ensure wETH is backed 1:1”, though they did not elaborate on the source of the Ether nor where the funds would be coming from.
The Wormhole bridge was temporarily down for maintenance while the team worked on detecting and fixing the exploit. Several hours later, it was announced on Twitter that the breach was patched.
The massive hack occurred on February 2, at 6:24 p.m. UTC. The hacker first minted 120,000 wETH on Solana’s side and redeemed 93,750 wETH (about $254 million) for ETH on Ethereum’s end 4 minutes later. The hacker has been actively using the funds to buy Bored Ape Yacht Club Token, Finally Usable Crypto Karma, Meta Capital, and SportX.
The remaining 26,259 wETH were swapped for SOL and USDC on Solana’s end. The hacker currently possesses 432,662 SOL, valued at $44 million, in the Solana pocket.
There have been no reports on other assets or chains being affected via the Wormhole. However, smart contract auditing firm Certik published a report today that pointed out the Terra bridge could have similar vulnerabilities as Solana.
The Wormhole team reached out to the hacker using their Ethereum address. They said they would let the hacker keep $10 million worth of the funds if the rest of the stolen crypto is returned.
This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at [email protected]
Twitter user @samczsun reverse-engineered the breach and posted a thread explaining how the whole process transpired.
This is the second time that a smart contract was exploited on a token bridge within a week. On January 28, QBridge was exploited for $80 million worth on BSC.
Earlier in January, co-founder of Ethereum, Vitalik Buterin, commented on Reddit talking about the “fundamental security limits” of bridges, saying he was “pessimistic about cross-chain applications.”