The most renowned bridges connecting the Ethereum and Solana blockchains has lost more than $320 million on Wednesday afternoon due to an apparent attack.
It’s DeFi’s second-largest attack ever and comes in just after it was the $660 million Poly Network crypto heist and is the biggest attack ever on the Solana cryptocurrency, a competitor to Ethereum, which is growing in popularity within the non-fungible currency (NFT) and the decentralized financial (Defi) marketplaces.
Ethereum is among the top popular blockchain network and is a major player in the Defi world where programmable bits of code, referred to as smart contracts are able to replace middlemen, such as lawyers and banks for certain kinds of commercial transactions. The more recent competitor, Solana, is growing in popularity because it’s less expensive and quicker to use than Ethereum.
The majority of cryptocurrency holders don’t operate solely within the same blockchain ecosystem, which is why developers have created cross-chain bridges that allow users to transfer money from one blockchain to another.
Wormhole is an open-source protocol that lets users transfer their tokens and NFTs between Ethereum and Solana.
Developers from Wormhole confirmed the vulnerability on the company’s Twitter account, stating that the website is “down to maintain” while it looks at the possibility of a “potential attack.” The protocol’s official website is currently down.
A study by CertiK, a cybersecurity firm that specializes in blockchain technology CertiK indicates that the attacker’s earnings thus to date are at most $250 million in Ethereum, more than $47 million from Solana plus more than four million dollars in USDC the stablecoin tied to the value of the U.S. dollar.
Bridges such as Wormhole operate by using two smart contracts, one for each chain, as per Auston Bunsen Co-founder of QuikNode which provides blockchain technology to developers as well as businesses. In this instance, there was one smart contract that was based on Solana and the other on Ethereum. A bridge similar to Wormhole uses an Ethereum token and secures it in the chain, and when it is re-locked on the chain on the other end of the bridge issue an alternative token.
A preliminary study by CertiK suggests that the attacker took advantage of an insecure vulnerability in the Solana portion of the Wormhole bridge to generate 120,000 of the so-called “wrapped” Ethereum tokens to themselves. (Wrapped tokens of Ethereum are tied in value to that of the coin originally however they are interoperable in conjunction with different blockchains.) It appears that they made use of these tokens in order to claim the Ethereum on the side that was Ethereum of the bridge.
Prior to the attack, the bridge was operating at the ratio 1:1 of Ethereum to wrapped Ethereum on Solana blockchain “acting in essence as an escrow service” as per CertiK.
“This attack has broken the 1:1 peg since there’s more than 93.750 ETH that is collateralized,” continued the report.
Wormhole claims that Ethereum is expected to be added “over in the coming few hours” to ensure that its tokens wrapped in Ethereum are secure, but it’s not clear where it will get the money needed to accomplish this.
The wormhole network was exploited for 120k wETH.
ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.
We are working to get the network back up quickly. Thanks for your patience.
— Wormhole🌪 (@wormholecrypto) February 2, 2022
Ethereum CEO Vitalik Buterin has previously stated bridges won’t last used for long in the crypto world partly because there are “fundamental security limits of bridges that span several ‘zones that are sovereign.'”
My argument for why the future will be *multi-chain*, but it will not be *cross-chain*: there are fundamental limits to the security of bridges that hop across multiple "zones of sovereignty". From https://t.co/3g1GUvuA3A: pic.twitter.com/tEYz8vb59b
— vitalik.eth (@VitalikButerin) January 7, 2022
CertiK stated in its post-mortem review of this incident, that when bridges have hundreds of millions of dollars worth of assets in escrow and increase the possibilities of attack by operating on multiple blockchains or two, they can become the most attractive targets for hackers.
The crypto platforms have been the subject of several high-value vulnerabilities in the last few months.
“The 320-million hack of Wormhole Bridge highlights the growing threat to blockchain protocols,” stated CertiK Co-founder Ronghui Gu. “This incident is raising alarms about the growing concerns regarding security issues on blockchains.”
