Solana-Ethereum Wormhole Suffers Second Largest Hack in DeFi History. Should We Still Use Bridges?

Solana-Ethereum Wormhole Suffers Second Largest Hack in DeFi History. Should We Still Use Bridges?

By GetBlock | GetBlock | 4 Feb 2022


Wormhole, a bridge mechanism for value transfer between different blockchains, is drained for $320 million.

Surpassed only by the infamous Poly Network $616M white-hat hack, the Wormhole attack will be remembered as one of the most dramatic attacks in Web3.

What happened to Wormhole?

On Feb.2, 2022, a hacker drained Wormhole, a bridge between SolanaEthereum, and other blockchains for more than $320 million. Suspicious transactions were noticed by prominent crypto security analyst Samczun.

Wormhole representative promptly responded and offered a hacker a ‘white-hat’ agreement: he/she can return funds to get $10 mln as a bounty bonus.

On Feb.3, blockchain researchers reverse-engineered the scenario of the attack. Malefactors managed to authorize 80,000 ETH transactions from Solana to Ethereum: in bridges, the liquidity from one blockchain is launched in smart contracts to mint the corresponding number of tokens in the other blockchain.

However, the attackers managed to mint 120,000 ‘Wormhole Ethers’ literally out of thin air without deploying this monstrous sum to Solana’s account.

Simply put, it compromised the smart contract in Solana’s part of the bridge so that it started relying on malicious smart contracts in the procedure of checking Solana's balances.

Once this is done, the exploiter can mint ‘Wormhole Ethers’ and withdraw them using the bridge in a legitimate manner. In total, 120,000 ETH was minted; 93,750 were then sent to attackers.

At the same time, Jump Trading, one of the earliest backers of Wormhole, has already announced the program of ‘backstopping’. They will deposit missing liquidity to the bridge so all funds of its customers are SAFU.

Why is Vitalik Buterin skeptical about cross-network bridges?

Ironically, on Jan.8, 2022, Ethereum’s inventor Vitalik Buterin warned the Web3 community about the possible flaws of the cross-chain bridge.

Despite being a vocal advocate of a multi-blockchain future, Vitalik admitted that the majority of bridges are vulnerable to attacks.

He stressed that attackers can only perform a 51% attack against a bridge to steal the funds from the accounts of the underlying blockchain. He addressed Optimism and Arbitrum as the most popular Ethereum (ETH) scaling and interoperability solutions:

If Ethereum gets 51% attacked and reverts, Arbitrum and Optimism revert too, and so “cross-rollup” applications that hold state on Arbitrum and Optimism are guaranteed to remain consistent even if Ethereum gets 51% attacked. And if Ethereum does not get 51% attacked, there’s no way to 51% attack Arbitrum and Optimism separately.

Simply put, it’s way easier to attack a bridge than to attack a blockchain. While both types of attacks bring the same profits to attackers, they will highly likely target the bridges.

But what about other bridges? Shortly after the incidents, DeFi veterans from Orion Protocol stated that their infrastructure can’t be attacked in the same way.

Closing thoughts

Cross-network bridges are extremely sophisticated platforms: they merge the vulnerabilities of all involved blockchains.

As such, this sphere of Web3 space still has room for growth in terms of security, anonymity, and scalability.

How do you rate this article?

59


GetBlock
GetBlock Verified Member

GetBlock is a premium RPC node provider and Web3 infrastructure platform that connects dApps to 75+ blockchains.


GetBlock
GetBlock

GetBlock is a premium RPC node provider and Web3 infrastructure platform. Launched in Q4 2019, GetBlock is one of the largest blockchain infrastructure vendors, offering RPC nodes for 75+ blockchain networks including Solana, Ethereum, Bitcoin, Polygon, BNB Smart Chain, and Layer 2 networks such as Base, Optimism, and Arbitrum. With GetBlock, teams of crypto applications don’t need to run their own blockchain nodes: instead, they can get connected to blockchains via ready-made API endpoints.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.