A threat actor has abused a vulnerability in the Wormhole cryptocurrency platform to steal an estimated $322 million worth of Ether currency.
The attack took place earlier today and impacted Wormhole Portal, a web-based application—also known as a blockchain “bridge”—that allows users to convert one form of cryptocurrency into another.
Bridge portals use “smart contracts” on the Ethereum blockchain to convert an input cryptocurrency into a temporary internal token, which they later convert into the user’s desired output cryptocurrency.
The attacker is believed to have exploited this process to trick the Wormhole project into releasing Ether (ETH) and Solana (SOL) coins far beyond the input they initially provided.
According to reports, the attacker stole crypto-assets worth $322.8 million at the time of the attack, and which have depreciated to $294 million due to price fluctuations following news of the hack.
While a Wormhole spokesperson has not returned a request for comment on today’s incident, the company has confirmed the attack earlier today on Twitter and has put its site into maintenance mode while it investigates the incident.
Tal Be’ery, CTO at cryptocurrency wallet app ZenGo and the one who alerted The Record about the Wormhole attack, said the hack is part of a recent “trend of exploiting [blockchain] bridges.”
Just a week earlier, a similar attack took place against another blockchain bridge when a hacker stole $80 million from Qubit Finance.
Once Wormhole formally confirms the amount of stolen funds, the incident will likely become the largest hack of a cryptocurrency platform so far this year, and the second-largest hack of a decentralized finance (DeFi) platform of all time, according to data compiled by the DeFiYield project.
Wormhole offers hacker $10 million as “bug bounty”
Be’ery pointed out that just like in the Qubit hack, Wormhole is now appealing to the hacker and asking them to return the stolen funds in exchange for a $10 million reward and a “whitehat contract” that will most likely mean the platform won’t file any criminal complaint against the attacker.
However, as a former Uber executive found out, such contracts exonerating hackers are not legal in certain jurisdictions and authorities might still go after the attacker anyway.
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘781647205981775’);
fbq(‘track’, ‘PageView’);