The Wormhole cryptocurrency platform was exploited by a threat actor to steal an estimated $322 million in Ether.
Wormhole Portal, a web-based programme known as a “blockchain bridge” that allows users to exchange one cryptocurrency for another, was the victim of an attack earlier today.
Using smart contracts on the Ethereum blockchain, bridge portals transform an input cryptocurrency into a temporary token, which they then convert into the user’s desired output cryptocurrency.
The Wormhole project is suspected to have been tricked into distributing Ether (ETH) and Solana (SOL) currencies significantly in excess of the input they had initially provided, by exploiting this mechanism.
Crypto-assets valued at $322.8 million at the time of the hack have fallen to $294 million as a result of market variations since the incident became public knowledge.
There has been no response from a Wormhole official regarding today’s attack; nevertheless, they verified it on Twitter earlier today and have put their site into maintenance mode while they investigate.
‼️ The wormhole network is down for maintenance as we look into a potential exploit.
📢 We will provide updates here as soon as we have them.
🙏 Thank you for your patience.— Wormhole🌪 (@wormholecrypto) February 2, 2022
A recent “pattern of abusing [blockchain bridges],” according to ZenGo CTO Tal Be’ery, who notified The Record to the Wormhole attack.
A hacker stole $80 million from Qubit Finance just a week earlier in a similar attack on another blockchain bridge.
DeFiYield data suggests that after Wormhole formally confirms the amount of stolen cash, this will be the greatest cryptocurrency platform theft of 2018 so far, and the second largest hack of a DeFi platform overall.
As a “bug bounty,” Wormhole is offering a hacker $10 million.
A “whitehat contract” means the platform will not file a criminal complaint against the perpetrator, as Be’ery pointed out, just as it did with Qubit’s hack. Wormhole is urging the hacker to return the stolen funds in exchange for a $10 million bounty and this “whitehat contract.”
Although such contracts exonerating hackers are allowed in some places, authorities may continue pursue the hacker even if they are exonerated.