On Feb 2, 2022, an attacker successfully stole crypto tokens worth over $326 million from a cross-platform bridge called Wormhole. This attack was the second biggest in the history of blockchains.
Wormhole is a generic message-passing application that connects to multiple blockchains like Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis. It is popularly known for its token bridge called The Portal, which allows users to convert their cryptocurrencies.
The Portal works by performing a series of steps. Let us take an example of converting ETH to SOL:
- The amount of ETH you want to convert is first deposited into a smart contract from the source blockchain.
- The Portal then mints or creates an equivalent number of wrapped ETH tokens (a representation of the actual ETH token).
- You then convert this wrapped ETH into SOL on the destination blockchain.
Learn more about bridges in this video.
In a blog released by Wormhole on Feb 5, 2022, they said that an attacker exploited a vulnerability in Wormhole to mint (create) new 120k Wormhole-wrapped Ether (wETH) on Solana. Out of this, 93,750 wETH were moved to Ethereum and converted to ETH (Ethereum token) and the rest were converted to SOL (Solana token).
This vulnerability was subsequently fixed. The network was back online and fully operational 16 hours after the team took it down to prevent further damage.
Wormhole reached out to the hacker with an offer of $10 million for the timely return of the funds. They also placed a $10 million reward for anyone else who can offer any information leading to the arrest and conviction of those responsible.
Although the vulnerability was patched, this event has reignited the debate around the security limitations of bridges. Roger Grimes, a defense evangelist with KnowBe4 called this a “rather common programming error” in this ThreatPost article. CertiK, a security solutions company for blockchain projects, said that this event could lead to more such attacks in the future.
Grimes also emphasized the need for companies to train their developers in Secure Development Lifecycle (SDL) that focuses on a combination of tools and techniques required to secure code.
Wormhole stated in their blog that they remain committed to the security of their bridge. The last code audit was completed in Jan 2022 by third-party auditor Neodyme. So why this flaw in the code escaped the eye of the auditors is a question worth asking, especially when Solana already has documentation that could have prevented this attack in the first place.
Whatever the underlying reason is for this attack, it is clear that the Blockchain ecosystem will remain vulnerable to hackers. The rush to create applications without much concern for security and the large amount of money that this ecosystem holds makes it a prime target.
