Surpassed only by the infamous Poly Network $616M white-hat hack, the Wormhole attack will be remembered as one of the most dramatic attacks in Web3.
What happened to Wormhole?
On Feb.2, 2022, a hacker drained Wormhole, a bridge between Solana, Ethereum, and other blockchains for more than $320 million. Suspicious transactions were noticed by prominent crypto security analyst Samczun.
Wormhole representative promptly responded and offered a hacker a ‘white-hat’ agreement: he/she can return funds to get $10 mln as a bounty bonus.
On Feb.3, blockchain researchers reverse-engineered the scenario of the attack. Malefactors managed to authorize 80,000 ETH transactions from Solana to Ethereum: in bridges, the liquidity from one blockchain is launched in smart contracts to mint the corresponding number of tokens in the other blockchain.
However, the attackers managed to mint 120,000 ‘Wormhole Ethers’ literally out of thin air without deploying this monstrous sum to Solana’s account.
Simply put, it compromised the smart contract in Solana’s part of the bridge so that it started relying on malicious smart contracts in the procedure of checking Solana's balances.
Once this is done, the exploiter can mint ‘Wormhole Ethers’ and withdraw them using the bridge in a legitimate manner. In total, 120,000 ETH was minted; 93,750 were then sent to attackers.
At the same time, Jump Trading, one of the earliest backers of Wormhole, has already announced the program of ‘backstopping’. They will deposit missing liquidity to the bridge so all funds of its customers are SAFU.
Wormhole vulnerability patched and the wETH backstop is in place— Kanav Kariya 🦬 (@KariyaKanav) February 3, 2022
I’m so damn proud of everyone on the Jump and Wormhole teams today. Insane tenacity and energy in face of a wildly difficult situation
Why is Vitalik Buterin skeptical about cross-network bridges?
Ironically, on Jan.8, 2022, Ethereum’s inventor Vitalik Buterin warned the Web3 community about the possible flaws of the cross-chain bridge.
Despite being a vocal advocate of a multi-blockchain future, Vitalik admitted that the majority of bridges are vulnerable to attacks.
He stressed that attackers can only perform a 51% attack against a bridge to steal the funds from the accounts of the underlying blockchain. He addressed Optimism and Arbitrum as the most popular Ethereum (ETH) scaling and interoperability solutions:
If Ethereum gets 51% attacked and reverts, Arbitrum and Optimism revert too, and so “cross-rollup” applications that hold state on Arbitrum and Optimism are guaranteed to remain consistent even if Ethereum gets 51% attacked. And if Ethereum does not get 51% attacked, there’s no way to 51% attack Arbitrum and Optimism separately.
Simply put, it’s way easier to attack a bridge than to attack a blockchain. While both types of attacks bring the same profits to attackers, they will highly likely target the bridges.
But what about other bridges? Shortly after the incidents, DeFi veterans from Orion Protocol stated that their infrastructure can’t be attacked in the same way.
We’ve seen three bridge exploits in the last fortnight alone. What happened, and why can’t #OrionBridge fall prey to the same exploits?— Orion Protocol (@orion_protocol) February 2, 2022
Read the thread below 👇 https://t.co/WR2YqT7SWA $ORN https://t.co/JevB29lITP
Cross-network bridges are extremely sophisticated platforms: they merge the vulnerabilities of all involved blockchains.
As such, this sphere of Web3 space still has room for growth in terms of security, anonymity, and scalability.