Wormhole offers $10M to Ethereum thieves

Blockchain bridge Wormhole publicly offered $10 million as a "white hat" bounty to threat actors in exchange for the return of more than $300 million stolen from them last week.

Wormhole's post follows the cyber attack suffered last Wednesday, during which threat actors apparently exploited a vulnerability allowing them to mint 120,000 wrapped Ethereum (approximately $320 million at the time), a token used to convert Ethereum into other cryptocurrencies. The attackers then converted 93,750 of it into Ethereum and transferred it to another wallet.

Wormhole, which is a blockchain bridge that allows the exchange of select cryptocurrencies across independent blockchains, published its own findings Friday via an "Incident Report" on Medium.

Most notably, Wormhole reaffirmed its "white hat" $10 million offer to threat actors in exchange for the safe return of stolen funds. In the same paragraph, the platform offered $10 million for information leading to the arrest of the threat actors.

"A $10,000,000 reward is offered for any information leading to the arrest and conviction of those responsible for the hack of Wormhole on February 2, 2022, or the recovery of the stolen assets," the post read. "The $10,000,000 white hat offer remains open for the timely return of the funds. You can reach out to [email protected]."

A $10,000,000 bug bounty for exploit details and a whitehat agreement is offered to the hackers in exchange for returning all funds. You can reach out to [email protected]

7/

— Wormhole (@wormholecrypto) February 4, 2022

SearchSecurity asked Wormhole for more details, but the platform did not respond.

The stolen 120,000 wrapped Ethereum were replaced by Jump Crypto. Jump Crypto is part of Jump Trading, a trading firm that acquired Wormhole's developer Certus One last year. In a Feb. 3 tweet, the firm said, "[Jump Crypto] believes in a multichain future and that [Wormhole] is essential infrastructure. That's why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop."

Wormhole's post includes a detailed, 16-hour timeline of how the incident occurred, substantial vulnerability details and future plans.

The bug at the center was a "signature verification" vulnerability that "allowed the attacker to forge a message from the Guardians to mint Wormhole-wrapped Ether."

"An attacker could craft an account and populate it with data to make it look like the instruction sysvar account. This fake instruction sysvar could then be passed to Wormhole's verify_signatures function to fool it into thinking that the signatures had been successfully verified," the post read. "Any arbitrary Wormhole message with Solana as the destination chain could be signed by an attacker, including messages to mint wrapped Wormhole tokens on Solana."

As for future plans, Wormhole said it had multiple ongoing audits scheduled for 2022, including one from managed security service provider Kudelski that began last month. The platform's security roadmap included three bullet points: "accounting mechanism to isolate risks to individual chains," "dynamic risk management" and "ongoing monitoring and early detection of incidents."

The Wormhole community is also working on a formal bug bounty program for the bridge on Immunefi, which will feature a maximum bounty of $3.5 million, "believed to be the highest in the industry."

Alexander Culafi is a writer, journalist and podcaster based in Boston.