Hackers Take Wormhole Bridge for $322M

Hackers found an exploit in the Wormhole Bridge that allowed them to steal $322M, the second largest DeFi related hack ever.

Wormhole Bridged $322M into a Blackhole
Photo by Sifat Niloy / Unsplash

Hackers hit the popular blockchain bridge Wormhole yesterday, and they made off with the second largest bag of hacked DeFi cash ever. Wormhole is a bridge, which lets you transfer cryptocurrencies between blockchains—in this case, between Ethereum (ETH) and Solana (SOL).  Wormhole uses Ethereum smart contracts to lock up Ethereum and mint wrapped Ethereum in the desired crypto ecosystem. This hack was done in the Solana ecosystem, minting wrapped Ethereum (wETH) on Solana.

The hacker minted 120,000 wETH on Solana, and redeemed 93,750 wETH for ETH on Ethereum’s network. In the Solana ecosystem, the hacker swapped their wETH for $44m in SOL and USDC.

With all of this real ETH disappearing from Wormhole, there are concerns about the company’s ability to back the remaining wETH in circulation. In response, Wormhole tweeted, “ETH will be added over the next few hours to ensure wETH is backed 1:1. More details to come shortly.” There is no update on where the $322M is going to come from, as Wormhole only had $1B in TVL before the hack.

Some of the hacked ETH was invested in unusual projects: SportX (SX), a gambling site; Meta Capital (MCAP), a NFT and Metaverse investment DAO; and Bored Ape Yacht Club Token (APE). In terms of crypto projects, these are all very small cap projects, mostly only a few million.

Wormhole has similar integrations with 7 other projects, such as Terra (LUNA). There have been no other reports of exploits being abused there, and the Wormhole team has frozen the project and patched the bug.

Wormhole has since offered the hackers $10M to return the funds, a gambit which has been successful in previous hacks.