A security flaw has led to the fifth largest crypto theft to date. About $325 million has been stolen from Solana’s digital currency at the Wormhole platform.
The attack happened on February 2, and Wormhole has since confirmed it. The company has also promised a $10 million ransom to the burglar to return the stolen funds. The hack appears to have come about after a bug in Github. Wormhole posted a fix for an exploit on its Github, which was not yet implemented in the project itself. The security flaw was therefore quickly exploited.
Wormhole is not a traditional cryptocurrency selling platform, but it provides a kind of bridge between different blockchains. The company provides a deposit system that allows you to deposit one type of digital coins and then purchase services in another type of digital coins. In the attack this week, the burglar managed to forge a signature for a transaction in which he or she could create 120,000 wETH. That is a temporary, ‘wrapped’ equivalent of Ethereum on the Solana blockchain. Its value is about 325 million dollars.
The attacker then traded that wETH for $250 million worth of “real” Ethereum and sent it to his own account. In this way, a large amount of Ethereum was stolen, which Wormhole keeps as a deposit in his suitcases to underwrite transactions on the Solana blockchain.
To forge that original signature, the attacker used a vulnerability that Wormhole already had a fix for on January 13. It was also published on the company’s Github repository but clearly not yet implemented in the production environment.
The vulnerability is also said to have been fixed for real in the meantime, and Wormhole says it will add additional Ethereum to its bridge funds to continue providing the service. However, it is currently unclear where it will get that money.