Wormhole Crypto Platform Hacked, Over $320 Million Stolen

An unknown hacker exploited a vulnerability in the code of the cross-chain platform Wormhole, stealing approximately $326 million in cryptocurrency. The attack occurred on February 2, 2022, and targeted Wormhole Portal, a blockchain bridge that allows users to convert one cryptocurrency into another. These bridges use smart contracts to lock the original token and create a wrapped version that can be transferred to another blockchain. Wormhole supports blockchains such as Avalanche, Oasis, Binance Smart Chain, Ethereum, Polygon, Solana, and Terra.

Apparently, the attacker used a bug to trick Wormhole’s systems and minted far more tokens than were originally provided. This allowed them to steal 120,000 wETH (wrapped Ether) tokens, worth about $326 million at the time of the attack. Shortly after, the value of the stolen cryptocurrency dropped to around $294 million due to price fluctuations following news of the hack.

Numerous cybersecurity researchers reported that the root of the problem was related to input data verification, and the exploit allowed the attacker to completely bypass signature checks.

Wormhole’s Response and Aftermath

According to The Record, shortly after the hack, Wormhole’s developers reached out to the unknown hacker and offered $10 million and a “whitehat contract” in exchange for the return of the stolen funds. Journalists noted that such contracts, which justify hackers’ actions, are illegal in some jurisdictions, meaning authorities can still prosecute the attacker even after such an agreement is signed.

According to Wormhole’s official Twitter account, the platform has “restored all funds” and reopened access to the bridge, which had been temporarily locked. They also emphasized that the vulnerability exploited by the attacker has been fixed.

Media outlets CoinDesk and The Block, citing their own sources, reported that the funding to restore the lost assets was provided by the trading firm Jump Trading.