A treasure of Ether has been stolen from the Wormhole bridge. It sounds like stuff from a science fiction or fantasy book. But in the 'dark forest' that is defi, these things happen every few months. On February 2d, a hacker managed to take advantage of a weakness in the code and run away with 120 k Eth, worth 300 million dollars.
Wormhole is a so-called bridge between the Solana and Ethereum blockchain. Such a bridge - there are dozens - allows coins to move between different blockchains. There they lead a parallel existence as "wrapped" coins. For example, there are now over 240 thousand wrapped Bitcoin on the Ethereum blockchain. There, the wrapped Bitcoin can be deployed in defi applications, for example to capture yield.
The developers of Wormhole have confirmed the theft. They reportedly are in touch with the hacker and offered a 10 million reward in exchange for returning the loot.
How did the hack happen?
In short, and with the disclaimer that the writer of this article is no developer, the hack went as follows. According to third-party developer Kelvin Fichter, the hack was in essence the mimicry of a small program on Solana that signs for transactions. The approval of this program, which was mimicked by the hacker, signaled to the so-called "guards" of the Wormhole bridge that the transaction was valid. And so, the guards mistakenly signed for the transaction of 120 thousand Eth to Wormhole. Then the hacker siphoned back this newly created Eth to his Ethereum address.
After this fateful event, the vulnerability in the code has been fixed, according to the team at Wormhole.
Stress testing the code
The fact that such hacks happen from time to time does not mean that the whole idea of defi or bridges is bankrupt. On the contrary, in an inevitable world with multiple blockchains, there needs to be functionality to move value between them. These kinds of hacks are ultimately good for stress testing blockchain technology and separating the wheat from the chaff. Growing pains!
That said, bridges will remain vulnerabilities. For example, founder of Ethereum Vitalik Buterin is not a fan. According to him, it is fundamentally safer to leave your coins on the original network: i.e. Eth on Ethereum and Sol on Solana.
After this major theft of Eth, owners of wrapped Eth on Solana scratched their heads: is there enough Eth left to cover their funds? Good news: the team behind Wormhole announced on Twitter that the funds have been restored.
It all just goes to show that one needs a strong stomach when entrusting money to decentralized finance. That's not to say it's necessarily a bad choice: in addition to the risks, the returns can be high. Most users of DeFi - hopefully – know that these things can happen in the fast-evolving world of blockchain technology. So diversifying investments across platforms is a good idea. For example, one part in 'cold storage' and another part in centralized exchanges like LiteBit.