$325 million in #cryptocurrency disappears after an error on #GitHub

Imagine a security flaw that was fixed but then apparently not applied to the live application – as a result it was hacked!

The decentralized finance (DeFi) platform Wormhole became the victim of the largest cryptocurrency theft this year, and among the top five largest crypto hacks of all time, when an attacker exploited a security flaw to make off with close to $325 million!

The attack seems to have resulted from a recent update to the project’s GitHub repository, which revealed a fix to a bug that had not yet been deployed to the project itself. The attack was noticed when a post from the Wormhole Twitter account announced that the network was being taken “down for maintenance” while a potential exploit was investigated. A later post from Wormhole confirmed the hack and the amount stolen.

Shortly after the attack, the Wormhole team also offered the hacker a $10 million bounty to return the funds, which was embedded as text in a transaction sent to the attacker’s Ethereum wallet address.

Wormhole provides a service known as a “bridge” between blockchains, essentially an escrow system that allows one type of cryptocurrency to be deposited in order to create assets in another cryptocurrency. This allows a person or entity with holdings in one cryptocurrency to make trades and purchases using another, somewhat like being able to fund a bank account in dollars and then use a bank card to buy something priced in euros.

To carry out the attack, the attacker managed to forge a valid signature for a transaction that allowed them to freely mint 120,000 wETH — a “wrapped” Ethereum equivalent on the Solana blockchain, with value equivalent to $325 million at the time of the theft — without first inputting an equivalent amount. This was then exchanged for around $250 million in Ethereum that was sent from Wormhole to the hackers’ account, effectively liquidating a large amount of the platform’s Ethereum funds that were being held as collateral for transactions on the Solana blockchain.

Open-source code commits show that code that would have fixed this vulnerability was written and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application.

Due to the nature of cross-chain applications, the attack temporarily left a huge deficit between the amount of wrapped Ethereum and regular Ethereum held in the Wormhole bridge — as if the collateral asset backing a loan had suddenly disappeared. According to Forbes, the attack caused a 10 percent drop in the value of the Solana cryptocurrency in the aftermath of the hack.

You need to act now!

We at IronCAP™ have been trying to educate businesses and individuals that Q-day (the day the first quantum hack is publicly recognized) is around the corner and everybody needs to gear up. Nation states and governments are already at it, how about you? To learn more, visit www.ironcap.ca.

IronCAP™ is our latest innovation for the post-quantum cybersecurity. This patent-protected, post-quantum cryptographic system is based on the Goppa Code-based cryptographic technology. It has embedded our proprietary subclass of (L, G) making it not only more secured but also has faster cryptographic operations (key generation, encryption, decryption) than the traditional Goppa Code-based technology (McEliece). We are offering a live demonstration for the general public to try and experience the strength of IronCAP™ post-quantum encryption easily. To learn more, visit www.ironcap.ca.