What happened?
By now, many crypto investors have heard of Tuesday's hack of the wormhole smart contract software that allowed the theft of 120,000 Etherum (ETH -0.92%) tokens worth about $320 million. This incident was deeply problematic, since it resulted in exploitation and financial losses to the company that released the software, but investor funds have been restored.
So what is the wormhole bridge? It acts as a connector that can send crypto transactions and tokens back and forth between Ethereum, Solana, and other networks. Wormhole is a project by Certus One, which is owned by privately held Jump Trading, LLC.
In a nutshell, the attacker forged the signature on a transaction in wormhole, then submitted the invalid transaction to the Solana (SOL -3.00%) network as a valid one, which allowed the fraudulent minting of a large number of ETH tokens on the Solana network. They then transferred many of those tokens to a digital wallet on the Ethereum network.
Image source: Getty Images.
Apparently, the vulnerability had already been detected and fixed in the code that interoperates between wormhole and Solana, but the fix had not yet been deployed to wormhole. This allowed the attacker to exploit vulnerable, deprecated code to accomplish their theft. This is reassuring in one way (the problem had already been detected and addressed) but disturbing in another (despite the available fix, the vulnerability was not blocked).
What wormhole and Solana teams have done
Certus One contacted the hacker(s) as soon as the software problem was fixed, offering them a $10 million bug bounty if they work collaboratively to restore the stolen ETH. There is also a $10 million reward available to anyone else who can provide details that lead to the arrest and conviction of the hacker.
Wormhole has released an incident report, which demonstrates fast action among a distributed set of stakeholders. The hack was detected and action coordinated to respond to it within an hour of its occurrence. Within two hours, the fix had been applied and verified, and all stakeholders had agreed to a plan for how to restore services in compliance with governance protocols. Process changes are pending to streamline the application of future fixes.
As hacks go, this one was handled quickly, and because the ETH tokens were replaced by Jump Trading, no investor funds were lost. Neither Solana nor Ethereum networks were halted. However, it was an eye-opening reminder that bugs happen in software development, and no matter how secure a design, clever hackers can sometimes step around intended mechanisms. Investors are lucky that Jump Trading was able to replace the missing ETH, resulting in restoration of investors' digital assets. Let's hope investigators will be able to identify the hacker and receive the stolen funds.
Meanwhile, Solana has announced a security-boosting hackathon #riptide that offers $5 million in prizes. Their international #riptide hacking event will run from Feb. 2 through March 17, 2022.
