Wormhole, a popular cross-chain crypto bridge between Solana, Ethereum, Avalanche, and others, has restored its missing funds after a hacker yesterday managed to siphon $320 million in Wrapped Ethereum (wETH) out of the protocol.
wETH in Wormhole is a cryptocurrency pegged to the price of Ethereum but interoperable with other networks. To create wETH, users must first stake Ethereum.
The Wormhole team announced on Twitter today that “All funds have been restored and Wormhole is back up.” In a follow-up tweet, they said they fixed the vulnerability shortly after midnight UTC, and “all wETH are backed up 1:1” as of 13:08 UTC.
Jump Trading Group, which has a stake in Wormhole’s development, took credit for replacing the 120,000 in ETHereum taken.
Blockchain analytics site Elliptic concluded that the exploit was due to Wormhole’s failure to validate “guardian” accounts, resulting in the attacker being able to mint 120,000 wETH with no ETH backing it.
The hacker then exchanged 93,750 wETH for Ethereum and changed the remainder for Solana, which they’ve left untouched in their Solana wallet.
Who restored the funds?
After Wednesday’s hack, Wormhole sent a message to the attacker on the Ethereum blockchain.
It said: “This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We d [sic] like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted.”
Half an hour later, the team tweeted that Wormhole was “down for maintenance as we look into a potential exploit.”
Wormhole then broke news of the exploit on Twitter, adding, “ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.”
Attacks on cross-chain bridges are multiplying as more blockchains become popular. Last week, a cross-chain bridge in DeFi protocol Qubit was hacked for $80 million.
The week before that, $3 million was drained by multiple hackers attacking cross-chain router protocol Multichain. A whitehat hacker later returned $900,000 of it, but the rest is still unaccounted for.
Clearly, cross-chain vulnerabilities have to be addressed if this is not to become a weekly occurrence.
Editor’s note: This article has been updated to indicate Jump’s involvement.