Hackers have exploited a vulnerability in the Wormhole cross-chain crypto platform to steal $326 million in cryptocurrency.
Wormhole is a platform that allows users to transfer cryptocurrency across different blockchains. It does this by locking the original token in a smart contract and then minting a wrapped version of the stored token that can be transferred to another blockchain.
The platform supports the Avalanche, Oasis, Binance Smart Chain, Ethereum, Polygon, Solana, and Terra blockchains.
Wormhole reportedly hacked for $326 million
At 3:42 PM EST today, Wormhole announced that they shut down their platform as they investigated an exploit on their network.
Using the exploit, a threat actor minted and stole 120k wrapped Ether tokens on the Solana blockchain. Of these 120k tokens, the threat actors converted 80,000 to Ethereum and left the rest on the Solana blockchain, where they began to sell it.
Wormhole later confirmed that a hacker stole 120k wrapped Ethereum (wEth) and that they were adding Ethereum to their platform to ensure all wETh is properly backed.
Blockchain analytics company Elliptic says that a Wormhole representative sent a message to the address owned by the hacker offering a $10 million bug bounty under a “whitehat agreement.”
This agreement requires the return of all stolen funds and details on the vulnerability and the exploit that was used.
“This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at firstname.lastname@example.org” – Message sent to attackers by Wormhole.
It is unknown if the hacker has replied to the message and is willing to work with Wormhole to recover the assets.
The Wormhole attack is now the second-largest attack on DeFi services, with the largest being Poly Network, which was hacked for over $600 million in August.