What Really Happened During the Wormhole DeFi Attack With Ethereum and Solana?

Wormhole, a very popular bridge between Ethereum and Solana, was the victim of a theft that took over $300 million USD worth of coins from the bridge on February 2, 2022. 

Fortunately, the funds were recovered the next day on February 3, 2022. Certus One, the developer of the Wormhole bridge, came out with a statement offering a $10 million USD bug bounty if the hackers explained how they exploited the bridge. 

How Much Was Stolen in The Wormhole Hack?

The hackers made off with about $250 million USD worth of Ethereum, ~$45 million USD worth of Solana, and about $4 million USD worth of USDC. 

This makes this hack the second largest hack in DeFi. The largest hack was the Poly Network hack worth approximately $600 million USD. 

That said, the Wormhole hack is the largest hack on Solana. 

How The Wormhole Hack Happened?

The specifics of what the Wormhole hackers did is still a little fuzzy. The basics of the hack, however, look something like this: 

Hackers created approximately 120,000 wETH on the Solana side of the Wormhole bridge using an exploit. The hackers then transferred ~90,000 wETH coins to the Ethereum blockchain using the Wormhole bridge. 

Wormhole then issued the hackers ~90,000 ETH in exchange for the ~90,000 fraudulently created wETH on Solana. 

As you can see, the basics of the hack are not particularly complicated to understand, but Certus One still seems to have issues identifying the full extent of the exploit. 

This was a very sophisticated hack. 

The Security of Cross-Chain Bridges

Cross-chain bridges are not particularly secure because they increase the attack vectors for potential hackers. 

Vitalik Buterin recently argued against cross-chain bridges for this very reason. He gave a hypothetical scenario in which someone transfers 100 ETH to Solana on a bridge. Ethereum would then get 51% attacked and the 51% attacker could revert the transaction after the Solana side confirmed the transaction. 

That would make the bridge (escrow) no longer fully backed, which could result in a loss of funds. 

This is not quite what happened in the Wormhole attack, but the idea is shockingly similar. The hacker created fraudulent (ie. non-backed) wETH tokens on Solana, transferred them to Ethereum, and withdrew them from the escrow account on the Ethereum side before anyone found out about the fraudulent wETH tokens. 

Buterin actually argued against cross-chain bridges only a month before the wormhole attack, too. He theorizes that cross-chain bridges will not last much longer as more and more exploits hit these bridges. 

We agree with Buterin with the many vulnerabilities of cross-chain bridges. However, the many exploits on cross-chain bridges will probably not stop people from using them. 

Cross-chain bridges will most likely die when developers figure out a way to move cryptocurrency assets across blockchains without using an escrow/bridge.

Closing Thoughts

The Wormhole bridge hack currently stands as the largest exploit against a cryptocurrency and the second largest cryptocurrency exploit. Buterin even predicted an exploit like that just a month prior. 

This hack will surely put a damper on the use of cross-chain bridges in the short term. But people will likely continue to use cross-chain bridges until a safer alternative comes along. 

Cross-chain bridges are simply too useful and easy to use for them to disappear.