Wormhole, one of the largest and most popular bridges between Solana and other blockchains, confirmed on Wednesday that their platform had been hacked for approximately 120,000 ether or $320 million. This makes the exploit the second largest hack in DeFi history, behind only the $600 million Poly Network hack that took place in August 2021 (those funds were eventually returned). This news comes less than one week after hackers made off with approximately $80 million from the DeFi protocol Qubit Finance.
According to Solana’s website, “Wormhole is a communication bridge between Solana and other top decentralized finance (DeFi) networks. Existing projects, platforms, and communities are able to move tokenized assets seamlessly across blockchains and benefit from Solana’s high speed and low cost.” In a Medium post from Solana in October 2020, just after Wormhole was introduced, the following pitch was used to advertise the cross-blockchain bridge: “Ultimately, teams need not encumber themselves to a single chain if they want to leverage the community of one chain with the performance of another.”
Wormhole has over $1 billion in total value locked and currently supports six blockchains: Terra, Solana, Ethereum, Binance Smart Chain, Avalanche, and Polygon. When an asset is transferred from one blockchain to another, Wormhole locks the transaction and mints a “wrapped” version of the asset which can be sent across the bridge. Hackers in this case managed to mint wrapped ETH (wETH) on the Solana blockchain and claim ETH on their own. Before the hack, the bridge maintained a 1:1 ratio of ETH to wETH, however the exploit broke that 1:1 peg. The Wormhole team announced via Twitter that “ETH will be added over the next hours to ensure wETH is backed 1:1.”
A Wormhole admin wrote in its Telegram group that, “as far as we can tell now, only wETH has been affected, no other tokens.” How the Wormhole bridge was exploited remains unclear. In an attempt to negotiate with the hacker, Wormhole offered the following on-chain message: “We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted.”
Update: Jump Crypto, the venture firm that owns the company that developed Wormhole has announced they will replace funds stolen in the hack.