Another day, another crypto heist with an inconceivable amount of money stolen. This time it’s a cool $325 million from Wormhole, a “secured bridge” between Solana and Ethereum, Binance Smart Chain, and Terra. On February 2, Wormhole announced that it was hacked.
Four hours later, Wormhole announced that the money had been replaced and for two days, no more information was forthcoming.
The next day, the Verge sent questions to Jump Crypto, a division of Jump Trading Group, the firm behind Wormhole, but received no response. Jump is a secretive high-speed trading firm based in Chicago.
The next day, Thursday, February 4, Jump Crypto admitted that it had refunded all the losses. Who stole the money? No one knows, but it was a hint of how much money Jump is making in crypto.
Although the sheer scale of the loss is notable, Wormhole is not alone. In the last year, DeFi services have lost more than $2 billion from hacks and heists, according to Elliptic. The users are even worse off, losing more than $12 billion from theft and fraud.
As small investors crowd in to catch a piece of the crypto gold rush, elite hackers lay waste to their investments, gobbling up their nest eggs like ravenous birds of prey. These small investors have no clue how insecure, opaque, and unaccountable DeFi platforms and crypto exchanges are, and there is little anybody can do, except send little encrypted pleas for the crooks to have a heart.
This time, it was Wormhole pleading for the funds to be returned. They told the hacker to keep $10 million as a “bug bounty.”
Allow me to translate:
“Mr. Hacker, can you, like, give those three hundred millions back? We’re really screwed here! I’ll probably lose my job. Go ahead and keep enough loot to retire comfortably. You’ve earned it! We can call what you did research and classify you as a, erm, consultant, how about that?”
These platforms refuse government regulation because of taxes, claiming to provide a better service, higher profits, and lower fees than the banking system, but when they suddenly lose millions or billions due to a flaw in their protocol that nobody understands, they are only too happy to submissively fork over $10 million to a non-state actor. Luckily, Wormhole’s parent company took out their proverbial wallet.
In response to Wormhole’s announcement of the exploit on Twitter, many crypto experts didn’t even understand how this latest hack was accomplished. The money seemed to have appeared from the ether. One Twitter observer posed the question that had everyone scratching their heads and making up memes:
Others wondered where the bounty money was coming from, and how Wormhole was maintaining its guarantee of 1:1 backing.
The audience made cynical jokes and noted that the levels of the implicated currencies were holding steady, suggesting the market expected a bailout. Solana lost 10% of its value, in the aftermath. Meanwhile, the cyber sleuths went to work, reverse-engineering the transaction chain that preceded this impressive exploit. According to Kelvin Fichter, under the handle @kelvinfichter, the attacker minted 120,000 “Wormhole ETh” out of nowhere.”
Wormhole mediates activity between the Solana and Ethereum blockchains with guardians that verify the signatures on smart contracts between users, by means of an internal smart contract that issues a series of messages essentially informing Wormhole of the transactions.
The attacker initially deposited a small amount of ETh into Solana from Ethereum and next executed a fake deposit of 120k ETh with a fabricated system program input and a falsified signature. This transaction ostensibly transferred assets from Ethereum to Solana, minting a “wrapped ETh” version. Then, the attacker executed a withdrawal of 80k ETh and another 10k later for good measure.
CTO Larsson explains the whole sordid protocol in this video, pointing out that Wormhole’s own commands admitted the signature validation process was “unsafe” because the system “account address is not checked.” There was another program doing that important work, which led to the vulnerability.
The code underlying the protocol was posted on Github only three hours before the hack, so Larsson concludes that the hacker was probably monitoring this repository and saw that the code was being changed because there was a bug, meaning there was a live zero day exploit.
In the bridge of Wormhole, between Solana and Ethereum, the hacker found a crack in the fabric of the blockchain, where infinite tokens could be created with a few keystrokes. Vitalik Buterin, the co-founder of Ethereum, argued just last month that there were limits to the security of “cross-chain” bridges between “zones of sovereignty.”
And three weeks later, his astute observation was proven right. The more important question (Where was the money coming from?) was answered a few days later when it came out that Jump Trading Group was the source of the bailout. Jump is so flush with funds they couldn’t be bothered to wait.
Jump pays Robinhood to outsource its crypto trades for Jump to execute. Robinhood’s commissions from Jump, at $247 million, accounting for 17% of total revenue in the first nine months of 2021, suggest Jump is raking in cash. That’s why it’s remarkable how unremarkable this latest hack is. Jump quietly bailed out Wormhole like it was no big thing. Just the cost of doing business in crypto. When the president and CIO of Jump finally spoke about the hack, more than two weeks later on Squakbox, he called it a “growing pain.” Markets basically didn’t budge. In fact, they were rising, but for the Ukraine crisis.
And why shouldn’t they? After all, if this latest bailout happened as a result of a situation analogous to when a medieval goldsmith was using a fake promissory note from London in an attempt to collect a gold payment in Paris, as was reassuringly suggested by Youtube Channel Thinklair, then, interchain bridges are just about as secure as for the financial system as we had during mercentilist era.
Clearly, there is a fundamental instability in the market if each blockchain remains an independent ecosystem with poorly designed bridges. This exposure to risk that users often unwittingly take is the same type of embedded moral hazard that existed in the subprime mortgage industry back in 2008. It’s too big to fail, all over again in the crypto market, which has claimed to a skeptical Wall Street audience that it is secure and should supplant the traditional finance system. Even the language sounds similar. Observe how Coindesk described Wormhole’s appeal:
“Wormhole allows ‘wrapped ETH,’ a synthetic asset intended to be collateralized by actual ETH, to be traded on the Solana blockchain. That opens up a lot of interesting arbitrage opportunities for traders, as well as healthier diversification in things like liquidity pools.”
Liquidity pools have been repeatedly exploited with flash loan attacks, draining almost $200 million from Cream Finance in 2021. Throw in high leverage and you have the equivalent of an economic molotov cocktail. Hackers went through Wormhole pockets the same way they exploited Poly Networks for a cool $600,000,000 all the way back in August 2021. The Poly Network hacker returned the funds, saying he was just “keeping them safe” and the company called him “Mr. White Hat” and offered him their chief of security post.
The hacker ultimately declined, probably because they’re absconding with the $500k to an island to look at “interesting arbitrage opportunities” from the perspective of a sunset on the Pacific Ocean. Not bad for an honest day’s work. After such labours, the hacker most definitely deserved a relaxing vacation.
And by the looks of things, other talented hackers, I mean, researchers are receiving comparable bounties.
Sound familiar? Not exactly – so far, the Wormhole Hacker hasn’t returned the funds – and indeed, why would they when Jump already hastened to make Wormhole whole? It just goes to show you: If you’re going to steal, it pays to go big! You heard me. Now, shout it from the rooftops!!
Hat’s off to the Wormhole hacker, for showing us all how to go big! Wormhole’s groveling encrypted offer of 20x what the Poly Network Hacker was awarded (minus salary and benefits) suggests they sensed their adversary wouldn’t be placated with a measly $500k (plus salary and benefits). Good show!
The situation brings to mind the glory days of CDO’s before subprime, and the Dot-com bubble. It’s also vaguely evocative of the S&L crisis, and other wild and woolly rollercoasters that (not having invested in them) were nothing if not enjoyable to watch.
With the exception of the two arrested in Manhattan on February 8 in connection with a conspiracy to launder $4.5 billion in crypto, most crypto heists are playing out exactly as they famously have on Wall Street: near-total impunity for the perpetrators and we’re so sorry for the little guy. If it’s not the same song and dance, I’ll be damned if it don’t rhyme. And the markets said, “Sing again! My ear is much enamored of thy note!”
A hypothetical multi-chain model where there would be more guardians verifying the transactions is cold comfort for those considering transactions in the hero and now. And there’s no guarantee that the same state of affairs won’t plague Blockchain 3.0 where “smart cities” will be governed with “smart governance” and the unbanked masses will store their digital identities on a blockchain, transacting business in the global market at the touch of a button.
There are always unintended consequences hiding in grand visions, and the apparent revolving door of hackers pillaging the firms facilitating market activity is not only a bad look; it’s an ominous portent.
For those security-conscious ones, I recommend not investing a penny in crypto that you aren’t prepared to lose. If you must invest in crypto, remember to store your crypto on a cold wallet, which keeps your crypto holdings offline and protects against online attacks.
Author: Tim Tolka, writer, journalist, and BI researcher
The Editorial Team at #DisruptionBanking have taken all precautions to ensure that no persons or organisations have been adversely affected or offered any sort of financial advice in this Article. This Article is most definitely not Financial Advice.