On February 2nd one of the top 5 crypto hacks of all time happened on the DeFi platform Wormhole. An attacker was able to make off with the nearly $325 Million by exploiting the Solana side of the bridge. Additionally, the hacker may have become aware of the potential exploit due to a Wormhole GitHub repository upload. This means the protocol may have tipped off the hacker to the vulnerability.
The exploit happened not even a month after Vitalik Buterin, Ethereum’s co-founder, discussed security limitations with bridges.
And it has only been 2 weeks since another bridge, Qubit’s QBridge protocol, was hacked for $80 million.
What is does the Wormhole Bridge Do?
In general, a bridge allows a user to send transactions and tokens back and forth between different chains. Wormhole allows users to interact with 6 separate chains. (Avalanche, Binance Smart Chain, Ethereum, Oasis, Polygon, Solana, and Terra).
Wormhole is one of the biggest bridges but the complexity of connecting multiple chains increases the number of attack vectors. For instance, if you have funds on Ethereum and want to move over to Solana, you could use wormhole to lock your $ETH into a smart contract on the Ethereum side and mint an equivalent $wETH on Solana. Your actual $ETH remains locked in a smart contract and your synthetic $wETH is available to transact on Solana.
From the bridge’s perspective, it is interacting with solidity language on Ethereum chain and rust language on Solana chain.
What Happened In the Wormhole Hack?
In this particular hack, the exploit was on the Solana side of the bridge. The hacker was able to exploit a bug in the smart contract and forge a valid signature for a transaction. This allowed for $325 million in $wETH to be minted (120,000 $wETH total) without putting in any equivalent tokens. The $wETH is wrapped Ethereum, an $ETH equivalent used on other chains to represent $ETH.
Once the 120,000 $wETH was minted on the Solana side, the hacker was able to use the bridge to exchange for $ETH on the Ethereum network.
Unfortunately, in this case it appears that the attacker may have been tipped-off to the vulnerability by Wormhole itself. A recent open source code commit to the GitHub repository may have alerted the hacker to the opening. The commits would have fixed the vulnerability but were not implemented yet.
Since the code to fix the issue may have been written nearly 3 weeks earlier, indicating the error was known, it is unclear why the exploit wasn’t flagged and caught before the $ETH could be withdrawn.
What is Next for Wormhole?
Wormhole reached out to the hacker in a message to their wallet shortly after the hack. They offered a $10 million white hack bounty if the hacker returned the funds. Additionally, there is a $10 million reward for anyone who provides details that lead to the arrest of the perpetrator.
Finally, Wormhole has provided the $325 million to the Ethereum side of the bridge to make up for the hack. Therefore, no users will be impacted by the exploit. This did get people wondering where Wormhole came up with such a large amount of money on short notice.
Who is Wormhole?
Wormhole is a project by Certus One, which is owned by privately held Jump Trading, LLC. Jump Trading is not some brand new start-up but part of a decades old trading firm. Additionally, Jump Trading paid Robin Hood nearly $250 million last year for Robin Hood to send its crypto trades through Jump. This makes it similar to Citadel’s relationship with Robin Hood on the stock side.
Despite the big financial loss and bad press, Wormhole will likely survive as bridging use continues to grow. Over $20 Billion in crypto is currently locked into various smart contracts on bridges. However, with all that money sitting out in smart contracts with various ways to attack it, you can expect more stories of hacks.
Should You Avoid Bridges?
Bridges are a potentially exploitable part of the crypto ecosystem right now. However, if you are active in crypto it is hard to completely avoid them. For one, you are not always able to get on-chain directly (ie-buy the native token). Even if you can, you may have the majority of your net worth already on a different chain and bridging is easier than off-chaining to cash and then reinvesting.
Additionally, there has been many opportunities to arbitrage price differences of a token on two different chains. For example, if you could send 1 $wETH from one chain and receive more than 1 $wETH on another chain (after-fees), that is free money.
Synapse Protocol – A Better Bridge
Synapse Protocol is primarily a decentralized bridging solution that uses its own cross-chain Automated Market Maker (AMM) to bridge chains. It is also currently the fastest bridge and retains speed even during high-traffic times when oracle-based bridges get bogged down.
Speed is important because: 1) who wants to wait 7 days to go from L2 Arbitrum back to L1 Ethereum. 2) The less time your funds are in the protocol, the less exposure they have to a hack.
The other big benefit of Synapse is its non-custodial design. If you remember above, Wormhole works by storing your tokens in a smart contract on one chain and minting backed-tokens on the destination chain. Synapse actually performs many transactions for you to get you native assets on the destination chain. This should be more secure as you aren’t holding a synthetic asset backed by funds sitting in the bridge’s smart contract.
Lastly, completely subjective, but it is one of the easiest to use bridges I have seen. You can check Synapse Bridge out here for yourself.
Wrapping Up: Wormhole Bridge Hack
The hack on Wormhole shows the vulnerabilities of bridges once again. Luckily in this case, the financial backer had deep enough pockets to bail out users who could have lost their funds. However, this isn’t always going to be the case.
Bridging may be a necessary evil until the multi-chain landscape is fully developed, but be safe out there and make sure you know the risks of the bridging protocol you use.