A hacker has exploited a zero-day vulnerability in the Wormhole cryptocurrency platform and stole approximately $326 million in cryptocurrency. After exploiting the vulnerability, the hacker minted and stole 120,000 wrapped Ether tokens on the Solana blockchain, then converted 80,000 to Ethereum, then started to trade what remained on the Solana blockchain.
The Wormhole platform is used to transfer cryptocurrency across different blockchains, including the Avalanche, Oasis, Binance Smart Chain, Ethereum, Polygon, Solana, and Terra blockchains and holds around $1 billion in deposited funds. On February 2, 2022, Wormhole said it had shut down its platform and had launched an investigation into an exploit on its network.
Wormhole has reportedly attempted to contact the hacker and has offered a white hat agreement and will provide the hacker with a bug bounty of $10 million in exchange for details of the vulnerability that was exploited. In order to receive the bug bounty, the hacker is also required to return the wETH that was minted. It is unclear if the hacker has contacted Wormhole and is cooperating. In the meantime, Wormhole said it is adding more ETH to its platform to ensure that all wETH is backed 1:1.
On Thursday, the Digital assets firm Jump Crypto said it had given its portfolio company Wormhole Platform 120,000 ETH tokens to replace the tokens that were stolen, “to make community members whole.”
While the heist is significant, and the largest ever to occur on the Solana network, it is not the largest ever DeFi theft. In the summer of 2021, a vulnerability was exploited in the decentralized cross-chain protocol and network, Poly Network. Poly Network connects the Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo, and Huobi ECO Chain blockchain networks.
The hacker obtained more than $611 million in cryptocurrency, including $273 million in ETH tokens, $253 million from the Binance Smart Chain, and $85 million in USD Coin. The hacker returned around half of the stolen cryptocurrency shortly after the attack and claimed the attack was done ‘for fun’. The remainder of the funds were returned a few days later.