Are you a robot?
Why did this happen?
Crypto site Wormhole tells users “all funds are safe” after $320 mln hack
LONDON, Feb 3 (Reuters) - Decentralised finance site Wormhole said on its Telegram channel that “all funds are safe” after it was rocked by a $320 million hack, the fourth-largest cryptocurrency heist on record. read more It did not give further details or respond to Reuters requests for comment. Reporting by Tom Wilson; editing by Sujata Rao
Disclaimer: The views expressed in this article are those of the author and may not reflect those of Kitco Metals Inc. The author has made every effort to ensure accuracy of information provided; however, neither Kitco Metals Inc. nor the author can guarantee such accuracy. This article is strictly for informational purposes only. It is not a solicitation to make any exchange in commodities, securities or other financial instruments. Kitco Metals Inc. and the author of this article do not accept culpability for losses and/ or damages arising from the use of this publication.
What your organization can learn from the $324 million Wormhole blockchain hack
The hacker that made off with millions from blockchain bridge service Wormhole exploited an incredibly common coding error that could be lurking in anyone’s software.
Those following the tech world have probably heard about the recent hack of blockchain bridging service Wormhole that has amounted to the fourth-largest crypto theft, and second-largest De-Fi theft, ever. The attacker who found the exploit created 120,000 Ethereum out of nothing, and made off with about $324 million of it.
For background, Wormhole is a service that lets users exchange cryptocurrencies across blockchains, sort of like swapping one fiat currency for another. In this particular case, the attacker exploited Wormhole in such a way that they were able to trick it into minting 120,000 wrapped ethereum (wETH, a 1:1 value equivalent token that represents ethereum) on the Solana blockchain, most of which the attacker then moved to the ethereum blockchain.
Unfortunately for Wormhole, all of that exploit-created wETH had to steal value from somewhere, and it came from Wormhole’s store of ethereum that lets it back all the wETH on its network.
SEE: Metaverse cheat sheet: Everything you need to know (free PDF) (TechRepublic)
With those funds missing, Wormhole was unable to say that its network was able to back transactions involving ethereum. It shut down to assess the problem, and with no recourse to recover its stolen funds Wormhole took to actually pleading with the attacker to return the stolen ethereum in exchange for a $10 million bug bounty.
The attacker has yet to accept the offer, and Wormhole was only able to restore its missing crypto thanks to the generosity of another crypto investment organization called Jump Trading, which said of its charitable giving that “we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.”
A lesson for everyone: Validate your input
Setting aside the lost funds, charitable giving and overall catastrophe (in a long run of crypto catastrophes) that is the Wormhole hack; ignoring the complexity that is blockchains, to say nothing of cross-blockchain technology; and setting aside the unstable value and environmental impact of crypto, there’s a lesson to be learned from this attack that has, unfortunately, yet to be taken to heart: Validate your input.
According to security researchers who quickly took to Twitter with their findings, the exploit that allowed the attacker to pull 120,000 ETH out of the … ether was because Wormhole wasn’t properly validating what it calls “guardian accounts,” which are considered more secure than regular user accounts.
Using a series of blockchain transactions to insert fake credentials, the attacker was able to fool Wormhole into pulling sysvar instructions from fake ones they had created during Wormhole’s signature verification process. In short, the attacker exploited the fact that Wormhole didn’t properly validate the accounts, giving the attacker the chance to insert their own fake commands that made it appear as if they had the authority to mint ethereum.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Roger Grimes, a data-driven defense evangelist for KnowBe4, said that the programming error Wormhole made was rather common, but serious nonetheless. “The function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened. So, there was no integrity guaranteed in the integrity check. Yeah, that is a problem,” Grimes said.
Secure development lifecycle (SDL) coding should be standard practice for everyone, Grimes said. Unfortunately, “most developers and smart contact creators aren’t trained in SDL and get little to no training in secure development,” Grimes said. The end result of that training shortage is that more code with more exploits (many common and easily exploited) appear in the wild.
The cryptocurrency world, Grimes warns, “is an immature industry using immature code, moving ahead at warp speed.” Combine that with trillions of dollars in value and you have the perfect recipe for theft and fraud. Toss in a community that recoils at the thought of regulation and you have the perfect environment for crimes like the Wormhole hack, which enriched an individual attacker for very little risk.
Grimes said that there are lessons to be learned from the Wormhole hack, but he doesn’t seem confident that those lessons will be taken to heart. “You always hope that when the next cool digital thing happens that we will better apply the security lessons learned from the previous platforms. But we always seem to want there to be more digital blood on the ground than there needs to be. We always, over and over, want to learn the hard way,” Grimes said.
Take this news as a sign to look at your own systems. You may not be personally responsible for software that moves billions of dollars, but someone will suffer a loss when a breach inevitably occurs, and you could avoid being that victim through a bit of proactive security work.
Hacker magics $300M worth of crypto out of thin air in fourth largest blockchain heist ever
Audio player loading…
A large-scale crypto heist that occurred last night could be the fourth largest of all time. A cryptocurrency portal, Wormhole, has been hacked and funds stolen valued at $300–330 million. Confirming the hack yesterday, Wormhole has since patched the exploit in its system which allowed hackers to steal nearly 120,000 wETH, a 1:1 exchangeable token with the Ethereum network’s ether.
Wormhole is a cryptocurrency network, or bridge, that allows users to transfer cryptocurrency between various blockchains, including the Ethereum and Solana networks. It essentially works by holding a user’s tokens in a smart contract on the departing chain, and then minting a wormhole ‘wrapped’ token on the destination chain. These wrapped tokens can then be swapped for native tokens on the destination chain, effectively swapping crypto between major chains.
Now, somewhere in that process of minting and wrapping there was an exploit, one which has allowed a hacker to mint wrapped coins on a network that they didn’t have to transfer, in this case 120,000 wETH on the Solana network, which uses the cryptocurrency SOL.
The 120,000 figure has since been confirmed by Wormhole directly, which values the entire operation at somewhere around $320 million, depending on the exact price at that time.
The funds have since been divided and exchanged. Most appears to have been swapped for ether, around 93,750, while a lesser sum is held in SOL.
The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.We are working to get the network back up quickly. Thanks for your patience.February 2, 2022 See more
One of the key things with this hack is that wormhole must maintain a 1:1 value between its wrapped tokens and those of the blockchains it exchanges with. Otherwise users may lose money by transferring between the two. That means when some nefarious actor steals loads of wETH, they’re pulling from a money pool held by Wormhole.
Devaluing wETH would mean no more simply transfers to the Ethereum network, which is one of the world’s largest blockchains, and thus a pretty big deal for Wormhole. The company has promised to top up the amount to maintain a 1:1 value.
This snapshot from Solscan shows the amounts transferred to and from the hacker’s account (account tokens removed). (Image credit: Solscan)
Wormhole has also attempted to reach out to the hacker over an Ethereum transaction sent to the hacker’s account, an Elliptic blog post says. It offers $10M in bug bounty fees to the hacker in exchange for the stolen funds and information as to how the exploit occurred.
Elliptic also puts this cryptocurrency hack amongst the biggest of all time. The funds stolen from Wormhole put it fourth in crypto heist history, behind Mt. Gox, Coincheck, and PolyNetwork heists.
How the Wormhole cryptocurrency exploit happened
The decentralised security experts at CertiK have outlined how the Wormhole bridge exploit occurred.
#IncidentAnalysis The investigation inside Wormhole BridgeThe attacker invoked the complete_wrapped instruction with the spoofed inputs
dataThe instruction does not perform complete verification on the correctness of the input
data. pic.twitter.com/IQAEqvphBOFebruary 3, 2022 See more
Essentially, the hackers spoofed the complete_wrapped instruction, using the inputs ‘ctx’, ‘accs’ and ‘data’. That means they somehow tricked Wormhole into thinking a smart contract had been created for the funds and that wrapped tokens were required on the destination blockchain, in this case Solana.
Of course, the funds were never there on the departing chain, meaning the wrapped tokens were coming out of Wormhole’s own pocket.
The spoofed data was then passed without full verification, which means the go-ahead to mint the wrapped coins was given despite the spoofed instructions. The last step was triggering the “invoked_seeded inst”, which signs the “mint” instruction and hands the hacker the stolen funds.
Wormhole now says it has closed this exploit, though the portal used to exchange funds between networks is still currently down.
The result of this seemingly small, swiftly patched exploit? $300 million or so out of Wormhole’s pocket.
Jump Trading replaces stolen Wormhole funds after $430m crypto hack
LONDON — The cryptocurrency arm of Jump Trading said on Thursday (Feb 4) it had restored more than $320 million (S$429.8 million) to crypto platform Wormhole after the decentralized finance site was hit with one of the largest crypto heists on record.
In a tweet, Jump Crypto said they chose to replace the stolen money “to make community members whole and support Wormhole now as it continues to develop.”
.@JumpCryptoHQ believes in a multichain future and that @WormholeCrypto is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop. — Jump Crypto 🦬 (@JumpCryptoHQ) February 3, 2022
Chicago-based Jump Trading acquired Certus One, the developer behind Wormhole, in August.
Wormhole, an online platform that allows the transfer of information across crypto networks, said on Wednesday it had been “exploited” for 120,000 digital tokens connected to the second-largest cryptocurrency, ether.
At the time of its announcement, the market value of the tokens was just over $320 million.
The theft was the latest to hit the fast-growing but mostly unregulated DeFi sector. DeFi platforms allow users to lend, borrow and save — usually in crypto — while bypassing traditional gatekeepers of finance such as banks.
“All funds have been restored and Wormhole is back up,” the platform said on Twitter after earlier saying on its Telegram channel that “all funds are safe”.
All funds have been restored and Wormhole is back up.
We’re deeply grateful for your support and thank you for your patience. — Wormhole🌪 (@wormholecrypto) February 3, 2022
London-based blockchain analysis firm Elliptic said that attackers were able to fraudulently create the wETH tokens, almost 94,000 of which were later transferred to the ethereum blockchain, which powers transactions for ether.
Elliptic added that Wormhole has offered the attacker a $10 million “bounty” to return the funds, citing messages embedded within ether transactions sent to the attacker’s digital address.
MAJOR HACKING RISK
Cash has poured into DeFi sites, mirroring the explosion of interest in cryptocurrencies as a whole. Many investors, facing historically low or sub-zero interest rates, are drawn to DeFi by the promise of high returns on savings.
Yet with their breakneck growth, DeFi platforms have emerged as a major hacking risk, with bugs in code and design flaws allowing criminals to target DeFi sites and deep pools of liquidity, and also to launder the proceeds of crime, while leaving few traces.
Fraud and theft at DeFi platforms surpassed $10 billion last year, research by Elliptic shows, laying bare the risks in the fast-growing but mostly unregulated area of cryptocurrencies.
Last August, hackers behind likely the biggest ever digital coin heist returned nearly all of the $610 million-plus they stole from the DeFi site Poly Network.
Hacks have long plagued crypto platforms. In 2018, digital tokens worth some $530 million were stolen from Tokyo-based platform Coincheck. Mt. Gox, another Japanese exchange, collapsed in 2014 after hackers stole half a billion dollars of crypto.
READ ALSO: Crypto ATMs offline as Singapore seeks to curb ‘on impulse’ trading