In Brief:
- Wormhole suffered the second-largest DeFi attack and lost over 120,000 wETH tokens.
- The hacker swapped with Ethereum, SOL, USDC, APE, SX, and other tokens.
- The bridge announced a $10 million bug bounty for the hacker to return fund.
A cross-chain token bridge, Wormhole reported the largest DeFi attack of 2022 on its platform which led to 120,000 wETH loss from the platform. This value is equivalent to $321 million. The attack is also the second-largest DeFi attack after Poly Network.
From the beginning of this year, many cross-chain platforms have been compromised by hackers. The string of the last few attacks proves Ethereum’s co-founder, Vitalik’s prediction about cross-chain bridges that there are “fundamental security limits of bridges.
The attack was launched on the platform in the early morning. After exploiting a bug, the hacker has minted 120,000 wETH from the Solana blockchain and then redeemed/swapped 93,750 wETH with ETH on the Ethereum network. The hacker then swapped the remaining wETH tokens with SOL and USDC.
At the time of writing, the hacker’s Solana Wallet is currently holding 432,662 SOL tokens, which is almost $44 million worth.
To drain funds from the wallet, the hacker also filled its wallet with different tokens such as SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token (APE).
The bridge was exploited only one-sided and no other blockchains were compromised. However, smart contract editing firm Certik raised concerns that “It is possible that Wormhole’s bridge to the Terra blockchain shares the same vulnerability as their Solana bridge.”
After the huge vulnerability on the platform, the Wormhole team contacted the hacker through an Ethereum address to return funds and offered $10 million worth of bug bounty.
“This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at contact@certus.one”
Temporarily, the bridge has stopped redeeming facilities for wETH on its platform to fix the exploit.
This is the second exploit attack in the same week on the token bridge platform. On 28th January, decentralized protocol Qubit Finance lost over $80 million worth of Binance coin from its platform after its Qbridge protocol got compromised.
