A decentralized finance (DeFi) platform called Wormhole said Wednesday that a hacker made off with approximately $322 million worth of cryptocurrency.
The heist was enabled by a flaw in Wormhole Portal, a "token bridge" that allows people to exchange one cryptocurrency for an equivalent amount of another. The service currently supports the Avalanche, Oasis, Binance Smart Chain, Ethereum, Polygon, Solana and Terra blockchains. (More details can be found in Portal's docs.)
Portal relies on smart contracts to function. According to The Record, someone exploited a flaw in these contracts to effectively "trick the Wormhole project into releasing Ether (ETH) and Solana (SOL) coins far beyond the input they initially provided," which is how they managed to steal $322 million worth of the tokens.
A more detailed technical breakdown was shared by Twitter user "@samczsun," who collaborated with "@gf_256" and "@ret2jazzy" to investigate the flaw in Portal:
How did the @wormholecrypto exploit work? I joined forces with @gf_256 and @ret2jazzy to reverse engineer the exploit, and now that it's been patched we can finally share it with you👇 pic.twitter.com/lXwD0GLZ3NFebruary 3, 2022
"tl;dr - Wormhole didn't properly validate all input accounts," they explained in a follow-up tweet, "which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum."
Coinbase puts Ethereum at roughly $2,610 at the time of writing, so the haul is currently worth approximately $245 million. (This is part of the problem with stealing cryptocurrency—the market's volatility means $322 million worth of assets can fall to $245 million overnight. Not that anyone should feel bad for the hackers, of course.)
Wormhole then asked the hacker to return the assets. "We noticed you were able to exploit the Solana VAA verification and mint tokens," it said. "We d [sic] like to offer you a whitehat [sic] agreement, and present you a bug bounty of $10 million for exploit details, and returning the [wrapped Ethereum] you've [sic] minted."
These arrangements—wherein a hacker steals hundreds of millions of dollars worth of crypto and is offered a bounty for its return—are surprisingly common. For example, Poly Network employed the same tactic when $600 million was stolen from it last year, and earlier this week, Qubit Finance offered $2 million for the return of $80 million.
But, as The Record notes, these retroactive bug bounties aren't legal in all jurisdictions. They also incentivize hackers to exploit vulnerabilities in these DeFi projects. If they manage to steal a significant amount of cryptocurrency, they can decide if they want to keep their ill-gotten gains or settle for a smaller bounty.
Wormhole said this morning that it had restored the stolen funds:
1/2All funds have been restored and Wormhole is back up.We're deeply grateful for your support and thank you for your patience.February 3, 2022
The company hasn't said if the funds were restored because the hacker took the bounty, if it found another way to reclaim the funds, or if it's using its own assets to cover the loss. But it did say it's working on "a detailed incident report and will share it asap." One would hope that report would address the restoration of these funds.