Skip to main content

Wormhole cryptocurrency platform hacked for $325 million after error on GitHub

Wormhole cryptocurrency platform hacked for $325 million after error on GitHub

/

A security flaw was fixed but seemingly not applied to the live application before it was hacked

Share this story

Illustration by Alex Castro / The Verge

On Wednesday, the decentralized finance (DeFi) platform Wormhole became the victim of the largest cryptocurrency theft this year — and among the top five largest crypto hacks of all time — when an attacker exploited a security flaw to make off with close to $325 million.

The attack seems to have resulted from a recent update to the project’s GitHub repository, which revealed a fix to a bug that had not yet been deployed to the project itself.

The attack took place on February 2nd and was noticed when a post from the Wormhole Twitter account announced that the network was being taken “down for maintenance” while a potential exploit was investigated. A later post from Wormhole confirmed the hack and the amount stolen.

Shortly after the attack, the Wormhole team also offered the hacker a $10 million bounty to return the funds, which was embedded as text in a transaction sent to the attacker’s Ethereum wallet address.

Ethereum transaction data showing a message to wormhole attacker offering a $10 million bounty

Wormhole provides a service known as a “bridge” between blockchains, essentially an escrow system that allows one type of cryptocurrency to be deposited in order to create assets in another cryptocurrency. This allows a person or entity with holdings in one cryptocurrency to make trades and purchases using another, somewhat like being able to fund a bank account in dollars and then use a bank card to buy something priced in euros.

To carry out the attack, the attacker managed to forge a valid signature for a transaction that allowed them to freely mint 120,000 wETH — a “wrapped” Ethereum equivalent on the Solana blockchain, with value equivalent to $325 million at the time of the theft — without first inputting an equivalent amount. This was then exchanged for around $250 million in Ethereum that was sent from Wormhole to the hackers’ account, effectively liquidating a large amount of the platform’s Ethereum funds that were being held as collateral for transactions on the Solana blockchain.

Open-source code commits show that code that would have fixed this vulnerability was written as early as January 13th and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application.

As software developer Matthew Garrett observed on Twitter, the code upload was described as if it were a run-of-the-mill version update but actually contained extensive changes — a fact that could have tipped off the attacker to the fact that it was a disguised security fix.

Another file available through the Wormhole Github page also details a security audit conducted by security research company Neodyme between July and September 2021. It is not clear whether the vulnerability was present during the audit period, and Neodyme did not respond to a request for comment.

Due to the nature of cross-chain applications, the attack temporarily left a huge deficit between the amount of wrapped Ethereum and regular Ethereum held in the Wormhole bridge — as if the collateral asset backing a loan had suddenly disappeared. According to Forbes, the attack caused a 10 percent drop in the value of the Solana cryptocurrency in the aftermath of the hack.

The Wormhole team has announced that more Ethereum will be added to the bridge to replace the stolen collateral funds, effectively meaning that the company will need to find $325 million in assets to plug the gap.

At this stage, it is unclear where the funds will come from. Questions sent to Jump Crypto, parent company of the developers of the Wormhole application, had not received a response at time of publication.