Thieves Steal More than $300 Million from Wormhole Blockchain Platform
Thieves exploited a vulnerability in the Wormhole blockchain platform to steal more than $300 million worth of cryptocurrency. Wormhole allows users to transfer cryptocurrency across blockchains. Wormhole temporarily shut down operations while investigating the incident.
This is a fascinating vulnerability demonstrating how difficult it is to properly secure cross chain transactions. It is believed that threat actors noted a security fix being uploaded to GitHub that had not yet been deployed to the network. Most decentralized architectures will suffer from this issue where the publication of a security fix can lead to exploitation before the fix can be deployed to the network. One fix used previously has been to publish closed source patches, though this flies in the face of the open source movement (and probably violates licensing). It also exposes additional risk since the code can't be inspected. Think of how hard vulnerability management is in an organization where you own all the systems. Organizations underpinned by so-called decentralized networks will need to game plan out how they can securely provide updates to a network they do not control before this technology can be more widely adopted. Note: The varying totals for loss amounts can be attributed to fluctuations in the price of Ethereum at different times of reporting.
This article is not surprising to me. At Neuvik, we are getting more requests to perform assessments on crypto platforms and marketplaces. We generally find that the bugs are not solely in the blockchain or the protocol stack, such as multi-sig attacks. Instead, the platforms suffer from the same bugs that standard web applications can have around authorization and the like. The major difference? There is a lot of money at stake, and the risk for loss is much higher than in traditional financial environments. Expect to see more of these as time goes on.
This cross-chain bridge allows interoperability while maintaining the value of the Ether and Solana blockchains, in a one-to-one ratio. This means the recovery of the lost funds impacts the value of cross-chain tokens. In other words, no funds, no value. This is one of the riskier models for cryptocurrency exchange and may not be viable in the long haul. It will be interesting to see if the attempted laundering of the stolen currency can be detected.