On Feb. 2, 2022, around 1:30 p.m., an unknown hacker exploited a vulnerability in the Wormhole network, a popular cross-chain protocol, to carry out the second largest cryptocurrency theft from a decentralized finance (DeFi) protocol ever. In a series of transactions, the hacker took possession of about 120,000 Wormhole Ethereum (WeETH) worth more than $320 million.
Why the Wormhole hack is a big deal
Wormhole is a cross-chain bridging protocol that allows users to move cryptocurrencies and NFTs between the Solana and Ethereum blockchains. It appears that the hacker found a bug in Wormhole’s smart contract code that allowed him to issue 120,000 Wrapped Ethereum on Solana (WeETH) without providing the necessary Ethereum equivalent collateral. To understand why this incident is more serious than an average hack, it is necessary to know how cross-chain bridges work. Users interact with cross-chain bridges by sending funds in an asset to the bridge protocol, where those funds are locked into the contract. The user then receives equivalent funds of a parallel asset on the chain to which the protocol bridges. In the case of Wormhole, users usually send Ether (ETH) to the protocol, where it is held as collateral, and WeETH are issued on Solana, backed by that collateral locked in the Wormhole contract on Ethereum.
The hack last February caused $320 million of WeETH on Solana to be unsecured for a period of time. If WeETH had not been backed by Ether, it would have meant that several Solana-based platforms accepting WeETH as collateral could have become insolvent. We could have seen a rush by users to sell their WeETHs, causing their value to plummet, with serious implications for the Solana blockchain and the broad DeFi ecosystem built on it, since many of these protocols also rely on WeETHs to back user-issued assets. In fact, on February 2, 2022, the price of Solana dropped 13.5 percent due to concerns about the hack. Fortunately, the worst-case scenario did not occur. Jump Trading, the parent company of Wormhole and a major player in the Solana ecosystem, provided Ether to replace what was stolen, after attempts to pay a bounty to the hacker in exchange for the stolen funds were ignored. We can see some of these transactions in the Chainalysis Reactor graph below. Translated with www.DeepL.com/Translator (free version)
We can also see two transactions that occurred before the hack itself. First, the hacker received 0.94 ETH from Tornado Cash, an Ethereum-based mixer, which was used to pay gas fees on transactions immediately following the initial hack. Second, the hacker sent 0.1 ETH to a deposit address at a large international exchange.
As can be seen from the Reactor screenshot below, the Wormhole hacker still holds 93,750 ETH on the Ethereum blockchain, which was reconnected from the Solana blockchain after the hack. We can see these Ethers in the address balance shown in the Reactor screenshot below.
The hacker converted the rest of the WeETH, worth about $42.5 million at current prices, into Solana and Wrapped Solana, while a portion was first converted into Solana USDC.
The good news is that investigators, along with many other members of the cryptocurrency community, are watching this address closely, which will make it virtually impossible for the hacker to move the funds undetected.
Below are the cryptocurrency addresses that currently contain the funds stolen in the attack:
Reducing risk in DeFi
As the amount of value passing through cross-chain bridges increases, they become more attractive targets for hackers. DeFi protocols and cross-chain bridges are now critical infrastructure in the cryptocurrency ecosystem, and successful attacks have cascading effects. If users can link funds between chains, it means that each chain’s activities are only secure if the other chains provide watertightness, along with the protocols built on top of those chains. If users think that their cryptocurrencies may not be secured as a result of a hack, we could see something akin to a bank run, which would create a sharp drop in prices and could cause the protocols to become insolvent, affecting the other interconnected protocols.
Although not foolproof, a valuable first step in addressing problems like this could be to make code reviews extremely rigorous and impose the “gold standard,” both for the developers who build the protocols and for the investors who evaluate them.
According to European Union guidelines, the ‘gold standard’ for blockchain includes:
- Environmental sustainability: Blockchain technology should be sustainable and energy efficient.
- Data protection: Blockchain technology should be compatible and, where possible, with strong European data protection and privacy regulations.
- Digital identity: Blockchain technology should comply with and enhance the evolving European digital identity framework. This includes compatibility with electronic signature regulations, such as eIDAS, and support for a reasonable, pragmatic decentralized and self-sovereign identity framework.
- Cybersecurity: Blockchain technology should be able to provide high levels of cybersecurity.
- Interoperability: Blockchains should be interoperable with each other and with legacy systems in the outside world.