Cryptocurrency platform Wormhole hacked for an estimated $322 million as the threat actor managed to abuse a vulnerability in the platform today. Wormhole Portal, a web-based platform that enables users to convert one type of cryptocurrency into another, was compromised by today’s incident that took place and was targeted by the perpetrators. The portal is also known as a blockchain bridge since it allows users to convert one type of cryptocurrency into another.
Bridge portals transform input crypto into a temporary internal token using smart contracts hosted on the Ethereum network. They then convert the temporary internal token into the user’s desired output crypto at a later time. It is suspected that the individual took advantage of this method in order to deceive the Wormhole project into releasing a significant number of Ether (ETH) and Solana (SOL) coins in excess of the input they had previously provided. Let’s discover how Wormhole blockchain hacked for an estimated $322 million, C. Cimpanu, The Record.
Trend Of Exploiting Blockchain Bridges
The attacker allegedly made off with crypto-assets that were valued at a total of $322.8 M at the time of the incident, but their value has now dropped to $294 M as a result of price swings that occurred after the news of the theft became public. A spokeswoman for the firm has not responded to a request for comment on the incident. Nevertheless, the company since confirmed the theft on Twitter and has put its website into maintenance mode while it examines the situation.
According to Tal Be’ery, CTO of the cryptocurrency wallet app ZenGo and the individual who notified users about today’s theft, the breach is part of a recent trend of attacking blockchain bridges. He said that this tendency has become more prevalent in recent months. It is likely that users have witnessed one of the biggest crypto hacks as Wormhole blockchain hacked for an estimated $322 million, C. Cimpanu, The Record.
A comparable breach occurred against another blockchain bridge exactly one week earlier, when the individual made off with $80M from Qubit Finance. According to data that was collated by the DeFiYield project, once the network officially verifies the number of funds that were stolen, the theft will likely become the greatest hack of a crypto platform so far this year, and it will also become the second-largest theft of decentralized finance (DeFi) network of all time.
Unraveling The Huge Attack
As the cryptocurrency platform Wormhole hacked for an estimated $322 million, the vulnerability manifested itself as a result of the implementation of a Universal Upgradeable Proxy Standard (UUPS) proxy being uninitialized. This occurred after an earlier bugfix had revoked the initialization that had been completed. According to a blog post by Immunefi, this indicates that an individual might pass their own Guardian set and continue with the update as a Guardian that they controlled.
An attacker might then use submitContractUpgrade() to make an upgrade attempt, which would result in a DELEGATECALL being made to an address that was given by the individual. This address would then execute a SELFDESTRUCT opcode, which would demolish the implementation contract. In addition, a member of the white hat community who uses the alias Satya0x responsibly exposed a significant flaw that was present in the network’s core bridge contract on Ethereum.
According to Satya0x, he feels a sense of accomplishment from having contributed to the ecosystem’s defense against a significant vulnerability as well as a systemic danger. In addition, he lauded Wormhole’s management of the entire bug bounty process as well as Immunefi’s role as an informed, visible, and credibly impartial third party. While Wormhole blockchain hacked for an estimated $322 million, C. Cimpanu, The Record, Satya0x raised some serious questions for the blockchain community.
He further said that the difficulties associated with maintaining network data security pose a fundamental obstacle to the realization of the future the community is working to create. Satya0x said that if people fail to understand and aggressively minimize systemic risk, and if they continue to criticize minor errors while applauding Total Value Lost as the primary metric of success, they run the risk of facilitating the resumption of the very hierarchies they wish to eradicate.
Wormhole’s Bug Bounty Offer To The Attacker
In a similar manner to the Qubit incident, Tal Be’ery noted that after the Wormhole blockchain hacked for an estimated $322 million, C. Cimpanu, The Record, the firm is now pleading with the attacker to return the stolen assets in exchange for a $10 M reward and a whitehat contract, which will likely prevent the firm from filing any charges against the individual. However, as a former Uber executive discovered, such agreements exonerating attackers or hackers are not lawful in certain locations, and authorities may still go after the individual anyway.
The frequent and massive losses that follow from successful breaches of DeFi systems are demonstrated by the rationale for giving such a large reward. Not the least of these losses was the $325 M that was taken from Wormhole itself earlier this year. The compensation breaks the previous record for the largest bug bounty, which was a reward of $2 M for a ‘double spend’ vulnerability that was awarded to ethical hacker Gerhard Wagner in October 2021 by Polygon.
While the cryptocurrency platform Wormhole hacked for an estimated $322 million, many are criticizing the network for the big bug bounty. To put the value of this reward into an even better perspective, consider that it is greater than the total amount that Google will pay out across all of its Vulnerability Reward Programs (VRPs) in 2021, which is $8.7 M. Another DeFi network known as MakerDAO is also providing the opportunity for a maximum reward of $10 M.