The Wormhole network, used to bridge the Solona blockchain platform with other decentralized finance (DeFi) projects, lost about $320 million in cryptocurrency funds after a novel vulnerability was exploited on February 2.
Wormhole says that the vulnerability has been patched and that all funds have been restored, and that the project will be backing funds one-for-one with Ether going forward.
DeFi project hack latest in a string of high-value crypto thefts
The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward.
The company is also offering a bounty of $10 million for information leading to the arrest of the responsible party or recovery of the stolen funds, and has announced that it will be launching an ongoing bug bounty program on Immunefi sometime this month that will offer maximum bounties of $3.5 million for disclosure of new vulnerabilities.
Wormhole’s post mortem incident report indicated that a signature verification vulnerability was exploited. The perpetrator targeted wETH tokens on Solana that were not tied to Ethereum deposits, bridging them to Ether in order to steal them.
Roger Grimes, Data Driven Defense Evangelist for KnowBe4, expands on the particular vulnerability used to breach the Wormhole network: “The theft was allowed because of a rather common programming error. The function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened. So there was no integrity guaranteed in the integrity check. Yeah, that is a problem … The cryptocurrency world is full of trillions of dollars. It is an immature industry using immature code, and like all new industries, it is moving ahead at warp speed, good security be damned. It is getting harder and harder for traditional hackers and bug finders to find really good exploits in Microsoft Windows, Macs, Linux and Google ChromeOS. They find plenty of bugs, but it is becoming harder as those platforms mature, including the experienced coders, tools and the protective mechanisms of the operating systems themselves. But the cryptocurrency world is the exact opposite. It is built on very secure protocols and algorithms, but then a lot of very immature and buggy applications are built on top of it.”
The $320 million total makes this the second-largest breach of a DeFi project in history, but the largest in terms of funds that have not been returned – the $602 million breach of the Poly Network in September 2021 was the largest, but nearly all of those funds were eventually returned in a “whitehat” agreement. This also makes the Wormhole network incident one of the top five overall cryptocurrency breaches of all time, behind only the likes of the Coincheck and Mt. Gox attacks of years past.
The incident once again calls into question the level of expected security from DeFi projects, a central contradiction (and concern for buyers) with these systems. DeFi projects are appealing because of their complete decoupling from government oversight and fiat currency, but that also removes them from the scrutiny of regulators and law enforcement. One must trust each platform to be not only honest and unscrupulous, but technically sound and properly secured. In total, about $2.2 billion was stolen from DeFi protocols due to vulnerabilities in 2021, and an additional $10 billion was lost due to scams.
And just one month into the new year, the Wormhole network breach is already the second major incident involving a DeFi project. The Qubit Finance network, a loan and trading platform, was hit on January 27 for $80 million in Binance coins.
Wormhole network represents increasing trend in crypto heists
“Bridge” DeFi projects such as these are uniquely vulnerable to cyber attacks as they have the capability of making deposits across chains using an internal representation of value rather than having to actually move the tokens immediately. An attacker can essentially draw tokens on the other end by leveraging the DeFi project’s “line of credit” in this sense.
And when these platforms are hit, they tend to do damage control by sending the attacker a private note through the blockchain asking them to return the funds and play the situation off as a “whitehat” vulnerability demonstration. In the two recent cases, this was accompanied by an offer of a $10 million reward; not exactly a strong disincentive to attempt the heist. But though crypto enthusiasts would prefer government stay away from the whole process, these offers of payment could be illegal in certain jurisdictions and give authorities the opportunity to go after the platform.
As Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, observes, a general perception that the blockchain itself is secure and unbreakable sometimes translates into an overabundance of faith in the services that operate on top of it: “I think that people extrapolate the approximate truth that blockchain technology has so far proven to be relatively secure to mean that any cryptocurrency related instrument must therefore also be secure. The reality is that technologies like smart contracts built on top of blockchains contain their own logic that is subject to errors or edge cases not anticipated by the creators … These larger malicious organizations could go further than simply examining advanced instruments for innocent logic errors or edge cases but go further by actively applying pressure including threats of violence to insiders and developers to purposely introduce vulnerabilities that they can then exploit.”
DeFi is expected to continue to explode in popularity regardless of these heists, which means more DeFi projects are likely to go through experiences just like the Wormhole network breach. As the platforms develop reputations for issues such as these, consumers are likely to demand that they demonstrate they have hired experienced developers with a reputation for scouring code and ensuring security is up to standard.
Some are also leaning toward decentralized applications that allow end users to mint and deploy their own tokens that comport to the standards of their blockchain of choice from their own wallet, with bots that constantly patrol looking for signs of hacking and automatically freezing suspicious transactions. This solution would still require a foundation of strong code, however, and trust in the developers to do everything the right way.