Hacker magics $300M worth of crypto out of thin air in fourth largest blockchain heist ever

hacker-magics-$300m-worth-of-crypto-out-of-thin-air-in
fourth-largest-blockchain-heist-ever

A large-scale crypto heist that occurred last night could be the fourth largest of all time. A cryptocurrency portal, Wormhole, has been hacked and funds stolen valued at $300–330 million. Confirming the hack yesterday, Wormhole has since patched the exploit in its system which allowed hackers to steal nearly 120,000 wETH, a 1:1 exchangeable token with the Ethereum network’s ether.

Wormhole is a cryptocurrency network, or bridge, that allows users to transfer cryptocurrency between various blockchains, including the Ethereum and Solana networks. It essentially works by holding a user’s tokens in a smart contract on the departing chain, and then minting a wormhole ‘wrapped’ token on the destination chain. These wrapped tokens can then be swapped for native tokens on the destination chain, effectively swapping crypto between major chains.

Now, somewhere in that process of minting and wrapping there was an exploit, one which has allowed a hacker to mint wrapped coins on a network that they didn’t have to transfer, in this case 120,000 wETH on the Solana network, which uses the cryptocurrency SOL.

The 120,000 figure has since been confirmed by Wormhole directly, which values the entire operation at somewhere around $320 million, depending on the exact price at that time.

The funds have since been divided and exchanged. Most appears to have been swapped for ether, around 93,750, while a lesser sum is held in SOL.

The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.We are working to get the network back up quickly. Thanks for your patience.February 2, 2022

See more

One of the key things with this hack is that wormhole must maintain a 1:1 value between its wrapped tokens and those of the blockchains it exchanges with. Otherwise users may lose money by transferring between the two. That means when some nefarious actor steals loads of wETH, they’re pulling from a money pool held by Wormhole. 

Devaluing wETH would mean no more simply transfers to the Ethereum network, which is one of the world’s largest blockchains, and thus a pretty big deal for Wormhole. The company has promised to top up the amount to maintain a 1:1 value.

An image from Solscan showing the amounts transferred to and from the hackers account. The account tokens have been removed.

This snapshot from Solscan shows the amounts transferred to and from the hacker’s account (account tokens removed). (Image credit: Solscan)

Wormhole has also attempted to reach out to the hacker over an Ethereum transaction sent to the hacker’s account, an Elliptic blog post says. It offers $10M in bug bounty fees to the hacker in exchange for the stolen funds and information as to how the exploit occurred.

Elliptic also puts this cryptocurrency hack amongst the biggest of all time. The funds stolen from Wormhole put it fourth in crypto heist history, behind Mt. Gox, Coincheck, and PolyNetwork heists.

How the Wormhole cryptocurrency exploit happened

The decentralised security experts at CertiK have outlined how the Wormhole bridge exploit occurred. 

#IncidentAnalysis The investigation inside Wormhole BridgeThe attacker invoked the complete_wrapped instruction with the spoofed inputs `ctx`, `accs` and `data`The instruction does not perform complete verification on the correctness of the input `ctx`, `accs`, and `data`. pic.twitter.com/IQAEqvphBOFebruary 3, 2022

See more

Essentially, the hackers spoofed the complete_wrapped instruction, using the inputs ‘ctx’, ‘accs’ and ‘data’. That means they somehow tricked Wormhole into thinking a smart contract had been created for the funds and that wrapped tokens were required on the destination blockchain, in this case Solana.

Of course, the funds were never there on the departing chain, meaning the wrapped tokens were coming out of Wormhole’s own pocket.

The spoofed data was then passed without full verification, which means the go-ahead to mint the wrapped coins was given despite the spoofed instructions. The last step was triggering the “invoked_seeded inst”, which signs the “mint” instruction and hands the hacker the stolen funds.

Wormhole now says it has closed this exploit, though the portal used to exchange funds between networks is still currently down.

The result of this seemingly small, swiftly patched exploit? $300 million or so out of Wormhole’s pocket.

You Might Also Like

Leave a Reply