On February 2nd, a hacker took advantage of a vulnerability in the cross-chain bridge Wormhole taking approximately 120k ETH. They were able to do it by minting 120k wETH through a bug in the system and then bridged it over to the Ethereum blockchain, thereby removing the 1:1 backed assurance of ETH to wETH. The attack itself occurred on the bridge between Ethereum and Solana on the Solana side. Neither Ethereum nor Solana were hacked, but the bridge that connects them was. More on why that’s important later.
Wormhole promptly freaked out with two exclamation marks shortly after the transfer.
Wormhole later released an incident report, including a detailed timeline of the events that took place. They’re offering a $10 million reward for any information that leads to the recovery of the stolen funds. This was after they initially tried to offer the hacker the $10 million as a white hat bounty.
I guess the hacker wasn’t interested. If you’re interested and you happen to know who did it, you should contact bounty@wormholenetwork.com and get some of that sweet reward. What about those who had their funds on the hacked bridge? Jump Crypto swooped in to assure everyone that the sky was not falling.
Who’s Jump Crypto? Besides being Wormhole’s serious BFF, they’re a project formed out of Jump Trading Group. Needless to say, they have some deep pockets to come in so swiftly and back all that stolen ETH.
Why does this matter? Aside from the massive exchange of fortune between a private equity/research firm and blockchain bridge pirate, there are bigger questions to ask about the sanctity and security of Layer 2 solutions like Wormhole. As a true oracle of chain wisdom, Vitalik Buterin posted a detailed message on the dangers of cross-chain applications a mere 26 days before the massive exploitation. Granted, he was warning more against the possibility of 51% attacks, and in this instance, the exploit was a bug in the signature verification code. Still, the security of Layer 2 applications, bridges like Wormhole, is what caused the fourth largest crypto hack to date. What caused the first three?
On August 10, 2021, $600 million was taken from Poly Network, which is, you guessed right, a cross-chain DeFi platform. It was reported that the hacker in that incident returned most of the stolen money, but that didn’t stop the heartburn. To date, the Poly Network attack is widely considered the largest crypto attack in history.
Second is Coincheck, although first by my standards. I don’t believe it counts as a bank robbery if the robbers get to the door, put all the stolen money on the ground, turn around and say, “See! I totally could have robbed you just there!” Coincheck was hacked out of $523 million due to having a “shortage of employees” at the time, which is a very embarrassing way of getting robbed. They were also not fortunate enough to have robbers that just wanted to prove a point. Thankfully, the 260,000 users didn’t have to pay the price as they were reimbursed by Coincheck, who paid out of their own pocket.
Mt. Gox may be the ugliest crypto hack, in my very humble opinion. There was 840k BTC stolen back in 2014. It was $460 million at the time. Today, it would be worth about $34 billion. You could argue that Mt. Gox was the largest crypto hack in history due to the amount worth in today’s standards, and you wouldn’t necessarily be wrong. It was also the longest, taking place over many months as the security flaws went unnoticed for years. The hack was due to negligence times 10, and it comes with a sad ending as none of the funds were recovered from the thieves. Many users are still tied up in litigation, trying to recover their BTC.
Both Coincheck and Mt. Gox were centralized exchanges that had internal security flaws. Not your keys, not your coin. Use both as an example of why it’s dangerous to leave your money in an exchange, but neither one of these classify as a DeFi hack. That makes the Wormhole hack the second-largest DeFi hack in history, and the largest if you agree with the notion that a robbery is only a robbery if one is robbed. Hacking is big business, even if you’re a white hat.
Polygon, operator of the Plasma Bridge, paid out a $2 million bounty to a white hat hacker who informed them of a vulnerability that put $850 million at risk. No funds were stolen, but the danger was real. They then again paid out another $3.47 million to two white hat hackers who discovered another critical vulnerability, this time one that put all $10 billion worth of MATIC at risk. Again, no funds were stolen, but we’re not exactly playing by no harm, no foul rules. At the time, the $2 million bounty paid by Polygon was the highest known paid bounty to a hacker exposing an exploit. They beat their own record by paying out the $3.47 million bounty. The recent $10 million bounty offered by Wormhole, had it been accepted, would have claimed that top spot by a healthy margin. By saying the $10 million is now a reward for anyone who can offer information leading to the arrest and conviction of those responsible, they’re saying that that 120k ETH is gone and the hacker is not giving it back. Wormhole has solved its solvency issues, for now, and they have internet detectives on the case trying to find the perpetrators. Although there have been instances before where the criminals have gotten caught, most of the time, crime pays, and the likelihood of these funds being returned at this point is quickly diminishing.
Immunefi, a security platform for DeFi that offers a bug bounty reward system, recently released a report claiming $10 billion lost in 2021 from DeFi attacks. That’s up 137% from 2020, and it’s likely to be more this year. We just entered February. We got a lot of year left. Per the Wormhole Incident Report, Wormhole began the process of launching a formal bug bounty program on Immunefi in December 2021. They’re advertising a $3.5 million payout for bug catchers. It’s expected to launch in mid-February, so we can safely say that they were just a bit too late. As we forever balance the scalability trilemma, security will frequently take a backseat to scalability and decentralization, and hackers will feed. Whether you’re in the business of preventing hacks or the business of causing them, business is booming.