The Wormhole network, used to bridge the Solona blockchain platform with other decentralized finance (DeFi) projects, lost about $320 million in cryptocurrency funds after a novel vulnerability was exploited on February 2.
Wormhole says that the vulnerability has been patched and that all funds have been restored, and that the project will be backing funds one-for-one with Ether going forward.
DeFi project hack latest in a string of high-value crypto thefts
The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward.
The company is also offering a bounty of $10 million for information leading to the arrest of the responsible party or recovery of the stolen funds, and has announced that it will be launching an ongoing bug bounty program on Immunefi sometime this month that will offer maximum bounties of $3.5 million for disclosure of new vulnerabilities.
Wormhole’s post mortem incident report indicated that a signature verification vulnerability was exploited. The perpetrator targeted wETH tokens on Solana that were not tied to Ethereum deposits, bridging them to Ether in order to steal them.
Roger Grimes, Data Driven Defense Evangelist for KnowBe4, expands on the particular vulnerability used to breach the Wormhole network: “The theft was allowed because of a rather common programming error. The function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened. So there was no integrity guaranteed in the integrity check. Yeah, that is a problem … The cryptocurrency world is full of trillions of dollars. It is an immature industry using immature code, and like all new industries, it is moving ahead at warp speed, good security be damned. It is getting harder and harder for traditional hackers and bug finders to find really good exploits in Microsoft Windows, Macs, Linux and Google ChromeOS. They find plenty of bugs, but it is becoming harder as those platforms mature, including the experienced coders, tools and the protective mechanisms of the operating systems themselves. But the cryptocurrency world is the exact opposite. It is built on very secure protocols and algorithms, but then a lot of very immature and buggy applications are built on top of it.”
The $320 million total makes this the second-largest breach of a DeFi project in history, but the largest in terms of funds that have not been returned – the $602 million breach of the Poly Network in September 2021 was the largest, but nearly all of those funds were eventually returned in a “whitehat” agreement. This also makes the Wormhole network incident one of the…
Read More: www.cpomagazine.com