Hacker Steals $250 Million From Solana, Ethereum Bridge Wormhole

Wormhole, a protocol that allows users to move their tokens and NFTs between Solana and Ethereum, has gone offline as it investigates an exploit of $254 million in Wrapped Ethereum.

According to Wormhole’s Twitter account the network is “down for maintenance” due to a “potential exploit.”

But that exploit, pointed out by Paradigm security researcher samczsun, appears to be real. A message on the Ethereum blockchain, purportedly from Wormhole, states:

“We noticed that you were able to exploit the Solana VAA verification and mint tokens. We would like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you have minted.”

VAA stands for “validator action approval,” and refers to the process by which transactions get approved.

The message means that Wormhole assumes with a wink and nod that the hacker acted in good faith. In return, it will give them $10 million for pointing out a vulnerability. But it wants its quarter-billion back.

Wormhole has not yet provided additional updates and did not immediately respond to a Decrypt request for comment.

In addition to connecting Ethereum and Solana, Wormhole also works with Avalanche, Binance Smart Chain, Oasis, Polygon, and Terra. It allows users of one chain to take “wrapped” assets and use them on another chain, often so they can take advantage of lower fees or different applications across networks.

But to get their Ethereum into Solana, they must first lock it into a smart contract and then get an equivalent amount in Wrapped Ethereum. They can then trade WETH for Solana-based tokens. If the message above is accurate, the hacker was able to short-circuit this and mint WETH without keeping ETH locked up.