By using an exploit in the software of crypto-trading platform Wormhole, threat actors have stolen an estimated $322 million in cryptocurrencies. The platform is offering a $10 million award for the  stolen money and details about the attack.

How they pulled it off

Wormhole Portal is a web-based application that allows users to convert one form of cryptocurrency into another. These portals are often referred to as blockchain bridges. Basically they use Ethereum smart contracts (computer code stored on a blockchain) to connect the input currency and the desired output currency.

The attacker is believed to have exploited this process to trick the Wormhole project into releasing Ether (ETH) and Solana (SOL) coins for a far greater value than their input value. Analysis by experts showed that the attacker created a guardian account by using information pointing back to an earlier, legitimate and much smaller, transaction.

The short version of what happened is easy. Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.

Earlier this year, Ethereum co-founder Vitalik Buterin already pointed out the fundamental security limits of bridges on Reddit, where he argued for a multi-chain blockchain ecosystem rather than the cross-chain applications, like bridges.

“it’s always safer to hold Ethereum-native assets on Ethereum or Solana-native assets on Solana than it is to hold Ethereum-native assets on Solana or Solana-native assets on Ethereum.”

Isn’t it ironic that he used exactly the currencies that were involved in this hack in his example?

Currency trading platforms

Crypto exchanges work like traditional money exchanges, setting prices for various currencies and taking a small fee to let users trade one. But while traditional exchanges are highly regulated by governments and international banks, it’s relatively easy to set up a cryptocurrency exchange nearly anywhere in the world and run it however you like. And under the hood they are just websites, websites that inherit all of the insecurities of the current state of web development in 2022 and inherit none of the considerable security inherent in blockchains, which are designed to prevent tampering, not theft.

Personally, I had never heard of the Wormhole platform before. That may be just me, but I’m guessing the same is true for many people. So how is it possible that someone can steal that amount of money from a platform most people have never even heard of? I was in no way shocked or surprised however to learn that such a platform can be hacked. It has happened before and it will happen again. In 2021 alone, there have been more than 20 incidents where a threat actor stole at least $10 million in digital currencies from a crypto exchange or project.

In this “industry” of fast moving money, huge profits–and losses–can be made and all that comes spiced with a hint of secrecy and hi-tech. But apparently it is more important to be the first to introduce new technologies than it is to check whether the security is in place to keep everything in check. We all know that we don’t need to invest in a fire-proof safe for the small amount of cash most people have. The investment would outweigh the risk. But if you are dealing in millions of dollars you might at least check that your account validation is waterproof, right?

The end?

Probably not. To be continued is more likely.

At the time of writing the Wormhole Portal is displaying a message stating:

“We’re actively working to get Portal back up and running.

A fix has been deployed and all funds are safe.

Thank you for your support and trust.”

In a message left on the blockchain we can read:

“We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at contact(@)certus.one”

Where we would like to take exception against the use of the term “bug bounty” which we would like to reserve for legitimate white hat hackers, working to make the world a safer place. This white hat guild holds no seat for a thief that exploits first and then sells the information about how they did it. Surely the only reason they would accept this deal is to avoid having a criminal complaint filed against them.

The only good news is that it looks like the exchange plans to carry on business so it did apparently not get robbed beyond recovery. Unfortunately, many others in the past have had to pull the plug after such an incident, leaving investors and traders in the cold.