The biggest hack of 2022 so far
This week, there is more bad news for the Solana blockchain as its leading Wormhole bridge was hacked through an exploit for $321 million. The token bridge between Ethereum and Solana saw 120,000 Wrapped ETH(WETH) tokens removed and distributed to the hacker’s Solana and Ethereum wallets. This is the largest crypto hack of 2022 and the second largest DeFi hack to date. The Wormhole team has offered a $10 million bug bounty to return the funds.
Wormhole is a token bridge that lets users send and receive cryptocurrencies between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without using a centralized exchange. A popular feature lets users transition tokens from the Ethereum network and trade them on alternative networks for much lower fees.
The hack took place on the Solana side of the bridge, and there are fears Wormhole’s bridge to Terra could be similarly vulnerable. However, at the time of writing, the Wormhole team assured the community that it would replenish its ETH supply, but no word yet on where those funds will come from or when they might arrive.
Using Solscan and Etherscan, we can see the finer details of the hack. It all started at around 6 PM on February 2. First, the attacker minted 120,000 WETH on Solana, then redeemed 93,750 WETH for approximately $254 million in ETH onto the Ethereum blockchain at around 6.30 PM.
The hacker has since used some funds to buy various tokens and, most interestingly, a Bored Ape Yacht Club Token (APE). The remaining WETH was swapped for SOL and USDC on Solana, and currently, the hacker’s Solana wallet holds 432,662 SOL, or around $44 million.
No other assets or chains served by Wormhole have been reported affected at writing. Still, smart contract auditing firm Certik said in a report that “It is possible that Wormhole’s bridge to the Terra blockchain shares the same vulnerability as their Solana bridge.”
The Wormhole team contacted the hacker through their Ethereum address to get the funds returned. They offered the bad actor $10 million worth of funds if the remaining funds were returned. At the time of writing, WETH tokens sent across the bridge are not yet redeemable while the Wormhole team attempts to fix the problem.
Risks involved in token bridges
Ethereum founder Vitalik Butterin has recently expressed concern about token bridges, more precisely warning of their vulnerability in the event of 51% attacks. His comments arrived earlier this month as more low-cost EVM-compatible Layer-1 networks, like Solana, seek to capitalize on Ethereum’s high gas fees.
He has a strong point, given that cross-chain protocols were among those hit hardest by hackers in 2021. THORChain suffered multiple exploits, while Poly Network was hit by the most significant DeFi hack on record worth $600M million taken, although in this case funds were eventually returned. Buterin stressed “the fundamental security limits of bridges” as the basis of his skepticism regarding cross-chain applications in a comment posted to Reddit on January 8.
This is the second smart contract attack on a token bridge in under seven days. On 28 January, Qubit Finance, a DeFi protocol on Binance Smart Chain was exploited for $80 million using its token bridge.
Solana on the rocks
After what can only be described as a stellar 2021 for Solana, things have started to unravel slightly for the EVM-compatible network in 2022. SOL, its native token, has lost more than 50% of its value over the last three months, while multiple issues around poor performance under stress keep arising. Four incidents in the span of a few months, and a serious exploit in the past week are getting investors spooked as growing concern about the integrity and longer-term network performance of Solana comes into question.
Moreover, it’s important to keep in mind that this entire industry should still be looked at as a testing ground. However, that sort of attitude won’t cut it with investors or traders affected by these types of exploits.
More importantly, competition is certainly heating up to become the leading EVM-compatible layer-1 network with blockchains like Fantom, Avalanche, and Harmony mounting serious charges. Solana will have to work hard to regain users’ trust amidst a sea of available alternative choices. More importantly, the industry needs to perhaps heed Buterin’s words more carefully and look to solve these issues as a collective rather than in silos.
The above does not constitute investment advice. The information given here is purely for informational purposes only. Please exercise due diligence and do your research. The writer holds ETH, BTC, AGIX, HEX, LINK, GRT, CRO, OMI, IMMUTABLE X, GALA, AVASTR, GMEE, CUBE, RADAR, FLOW, FTM, BNB, SPS, WRLD, ATOM, and ADA.