Wormhole, a protocol for connecting various blockchains, lost approximately $320 million worth of Ether (ETH) due to poorly crafted code.
“The Wormhole Network Was Used For 120k wETH,” DeFi Biz Said via twitter on Wednesday.
“wETH” stands for “Wrapped Ether”, an intermediary token used to transfer Ether in blockchains built for various cryptocurrencies. Wormhole’s technology acts as a bridge that connects the Solana blockchain to many other “decentralized finance” or DeFi blockchains such as Avalanche, Binance Smart Chain, Ethereum and others.
According to British blockchain analyst Elliptic, the loss represents the fourth largest cryptocurrency hack ever.
The organizations behind Wormhole said that they will be adding more ETH in the coming hours to ensure that wETH is backed by ETH. And on Thursday, as if by magic, the wormhole announced“All funds have been restored and the wormhole is back.”
But the firm used the word “restored” when “replaced” would have been more accurate. The stolen money was not recovered from the thief; Rather mooted until the beneficiary was replenished by Jump Crypto, which last year bought Certus One, the company that developed wormholes.
,@JumpCryptoHQ believes in a multi-chain future and that @wormhole crypto There is the necessary infrastructure,” said JumpCrypto. via twitter, “That is why we have turned to 120k ETH to make the community members whole and support Wormhole as it is still developing.”
Wormhole has also offered thieves who gave DigiCash a $10m “white hat” reward if the funds are returned. There has been no movement on that front so far.
as an anonymous voice keep this“So the slot machine paid out for one lucky winner and the house covered the loss from gains made elsewhere.”
The hack appears to have been made possible by a signature verification function in Wormhole’s Solana Bridge code. who didn’t actually verify any signature,
Paradigm security researcher “samczsun,” after discovering the relevant code in a Twitter thread, Thus summarized the scenario of the attack: “The wormhole did not properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they recovered 93,750 (~$250m) in Ethereum.”
security researcher Matthew Garrett guessedBased on the delay between the pull request with the fix and its merger into the codebase, that attacker noticed the code change and created an exploit before the repair could begin.
“So what looks like As if an obscure security critical change was published, someone figured out what the vulnerability was, and then ran out of all the money before the fix was deployed,” Garrett said.
register Asked Wormhole if that was accurate but we haven’t heard back.