The $300 Million Solana-Ethereum Wormhole Exploit

Developers have successfully corrected a gap exploited by an attacker to transfer tokens between the Solana and Ethereum networks via Wormhole, a bridge protocol.

According to a tweet from Wormhole, the attacker exploited a vulnerability in the bridge, siphoning 120k wrapped ether valued at $323 million.

It was difficult to discern how the attacker built the exploit, according to experts who are now working to restore the bridge’s functionality. They debated whether the attacker had gotten the private keys or exploited the bridge at first, but eventually decided to work backwards to find the exploiter’s footprints.

Wormhole normally locks assets and mints a wrapped version of the tokens before releasing them to the destination chain when users send assets from one chain to another.

The attacker sent 80k ETH from Solana to Ethereum in the first transaction. According to Kelvin Fitcher, a smart contracts developer with Ethereum Optimism, he afterwards made a further aggregate trade of 120k ETH that was generated out of thin air, prompting the transfer of real funds.

 “The attacker was able to mint Wormhole ETH on Solana, so they were able to correctly withdraw it back to Ethereum.” he tweeted.

Wormhole didn’t properly validate all input accounts, allowing the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum, according to SamCzSun, a software developer at paradigm who worked with two other developers to reverse engineer the exploit.

The wormhole’s creators have since set up a bounty for the loot’s return.

This is one of the largest DeFi exploits in history, as well as the greatest bridge attack to date, adding to the more than $2 billion in DeFi hacking damages.

Despite the fact that DeFi is heralded as one of the most significant advancements in the blockchain ecosystem, with the Total Value Locked in Assets rising to new highs year to date, the risk of attacks is increasing.

This demonstrates that the security of DeFi services has not yet reached a level that is commensurate with the vast sums of money held within them. Following the Wormhole heist, Tom Robinson, the Chief Scientist of blockchain analysis firm Elliptic, commented, “The transparency of the blockchain is allowing attackers to identify and exploit major bugs.”

Vitalik Buerin, the founder of Ethereum, has expressed disdain for cross-chain networks because of their vulnerability to attacks, while touting multi-chain networks as the future of DeFi.

cryptocurrency news