Cryptocurrency platform Wormhole lost over $300 million following a cyber attack Wednesday, marking the latest in a string of major heists against cryptocurrency platforms.
Wormhole is a "blockchain bridge," a platform that allows the exchange of cryptocurrencies across independent blockchains. Wormhole tweeted that Wednesday's attack occurred as a result of an "exploit" that allowed attackers to steal 120,000 wrapped Ethereum (wETH), a token used to convert Ethereum into other cryptocurrencies that maintains the same value.
According to a Wednesday blog by cryptocurrency analytics service Elliptic, threat actors used the exploit -- which appears to have occurred due to improper account validation -- to mint 120,000 wETH, which is worth approximately $320 million, before transferring 93,750 Ethereum (just under $250 million); this is based on data from Ethereum analytics platform Etherscan.
The blog also pointed out a transaction to the attackers from Wormhole that included a note offering a $10 million bounty for the return of stolen funds. The 93,750 Ethereum appears to remain in the attacker's wallet.
Wormhole also provided a timeline of the incident on Twitter. The attack occurred at 6:30 p.m. UTC on Wednesday (roughly 1:30 p.m. ET). The exploit was patched about six hours later, and funds were restored early on Thursday morning. Soon after, the token bridge, which had been taken down following the attack, was put back online.
The team is working on a detailed incident report and will share it asap— Wormhole (@wormholecrypto) February 3, 2022
18:26 UTC - contract was exploited for 120k ETH
00:33 UTC - vulnerability was patched
13:08 UTC - ETH contract has been filled and all wETH are backed 1:1
13:29 UTC - the Portal (token bridge) is back up
In a separate tweet early Thursday, Wormhole wrote that "all funds have been restored."
Questions remain regarding how exactly Wormhole managed to restore $320 million in Ethereum, as the funds do not appear to have been recovered from the attacker directly.
UPDATE: Jump Trading, a trading firm with a focus in cryptocurrency, announced in a Tweet Thursday that it had replaced Wormhole's lost funds. Jump acquired Wormhole's developer, Certus One, last year.
Wormhole has not responded to SearchSecurity's request for comment.
A number of cryptocurrency exchanges have lost millions of dollars to thefts in recent months. BitMart lost approximately $150 million in a December breach. Crypto.com, meanwhile, lost about $35 million in an attack last month.
Alexander Culafi is a writer, journalist and podcaster based in Boston.