The Wormhole token bridge experienced a security exploit today, resulting in the loss of 120,000 wETH tokens ($321 million) from the platform.<\/p>\n
Wormhole is a token bridge that allows users to send and receive crypto between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without the use of a centralized exchange (CEX). This is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The Wormhole team has offered a $10M bug bounty for the return of the funds. <\/p>\n
The hack took place on the Solana side of the bridge and there are fears Wormhole\u2019s bridge to Terra could be similarly vulnerable.<\/p>\n
The Wormhole team has assured the community that its ETH<\/a> supply would be replenished to \u201censure wETH is backed 1:1,\u201d but there is no word yet on where those funds will come from or when.<\/p>\n The wormhole network was exploited for 120k wETH. <\/p>\n ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.<\/p>\n We are working to get the network back up quickly. Thanks for your patience.<\/p>\n \u2014 Wormhole (@wormholecrypto) February 2, 2022<\/a><\/p><\/blockquote>\n The hack<\/a> took place at 6:24pm UTC on Feb. 2. The attacker minted 120,000 wETH (WETH) on Solana, then redeemed<\/a> 93,750 WETH for ETH worth $254 million onto the Ethereum network at 6:28pm UTC. The hacker has since used some funds to buy SportX (SX), Meta Capital (MCAP), Finally Usable Crypto Karma (FUCK), and Bored Ape Yacht Club Token (APE).<\/p>\n The remaining<\/a> WETH was swapped for SOL<\/a> and USDC<\/a> on Solana. The hacker\u2019s Solana wallet currently holds 432,662 SOL ($44 million). <\/p>\n No other assets or chains served by Wormhole have been reported affected, but smart contract auditing firm Certik<\/a> said in a report today that \u201cIt is possible that Wormhole\u2019s bridge to the Terra blockchain shares the same vulnerability as their Solana bridge.\u201d<\/p>\n The Wormhole team contacted the hacker through their Ethereum address to offered to let the hacker keep $10 million worth of funds stolen if the remaining funds are returned.<\/p>\n \u201cThis is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We\u2019d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you\u2019ve minted. You can reach out to us at contact@certus.one\u201d<\/p>\n As of the time of writing, wETH tokens sent across the bridge are not yet redeemable while the Wormhole team attempts to fix the exploit.<\/p>\n This is the second smart contract exploit on a token bridge in a week. On Jan. 28, Qubit Finance\u2019s QBridge was exploited<\/a> for $80 million on BSC. It is also reminiscent of the Poly Network hack<\/a> last August wherein $610 million in crypto was stolen off the platform. In that case, nearly all of the funds were returned by the whitehat hacker.<\/p>\n Related: <\/em><\/strong>$2.5B in stolen BTC from Bitfinex hack awakens<\/em><\/strong><\/a><\/p>\n The frequency of smart contract hacks on token bridges serves to validate Vitalik Buterin\u2019s Jan. 7 warning<\/a> that there are \u201cfundamental security limits of bridges.\u201d The Ethereum co-founder\u2019s admonition was within the context of a 51% attack on Ethereum, but his advice was well-timed as he pointed out the general vulnerability apparent on bridges that send tokens across layer-1 blockchains. <\/p>\n<\/div>\n\n
![](\"https:\/\/s3.cointelegraph.com\/uploads\/2022-02\/50720678-298a-4878-ac3e-28aae430a576.PNG\")
<\/figure>\n