Pierluigi Paganini February 03, 2022

Threat actors have stolen $325 million in cryptocurrency leveraging a bug in the Wormhole communication bridge.

Wormhole, one of the most popular bridges that links the Ethereum and Solana blockchains, lost about $325 million in an attack that took place on Wednesday.

This is the second-biggest hack of a DeFi platform ever, just after the $600 million Poly Network security breach. Experts pointed out that this is largest attack to date on Solana, which is a high-performance blockchain like Ethereum and that is increasing its popularity thanks to the interest in the non-fungible token (NFT) and decentralized finance (DeFi) ecosystems.

Wormhole is a communication bridge between Solana and other top decentralized finance (DeFi) networks and allows to transfer of cryptocurrency across different blockchains, including Avalanche, Oasis, Binance Smart Chain, Ethereum, Polygon, Solana, and Terra.

The Wormhole development team confirmed the hack and took down its platform for maintenance while investigating the crypto heist.  The website of the Wormhole protocol is currently offline.

The attackers exploited a flaw in the protocol to steal 120k wrapped Ether tokens on the Solana blockchain, then they converted 93,750 to Ethereum to sell it.

“The exploit appears to have allowed the attacker to mint 120,000 wrapped ETH on the Solana blockchain, 93,750 ETH of which was then transferred to the Ethereum blockchain” reported the blockchain analysis firm Elliptic.

Everytime a user wants to transfer funds among blockchain the token is wrapped in a smart contract before being transferred to the destination blockchain.

“An analysis from blockchain cybersecurity firm CertiK shows that the attacker’s profits thus far are at least $251 million worth of Ethereum, nearly $47 million in Solana, and more than $4 million in USDC, a stablecoin pegged to the price of the U.S. dollar.” reported CNBC.

Elliptic revealed that Wormhole has offered the attackers a $10 million reward to return the funds.

“Wormhole has offered the attacker a $10 million “bounty” to return the funds. The offer was embedded within an Ethereum transaction sent to the attacker’s account:” continues Elliptic. “Wormhole has offered the attacker a $10 million “bounty” to return the funds. The offer was embedded within an Ethereum transaction sent to the attacker’s account”

Below is the message sent by Wormhole to the attackers:

“This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at [email protected]”

Elliptic experts added that the analysis of these transactions has determined that the exploit resulted from Wormhole’s failure to validate “guardian” accounts.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]