Barely six weeks into 2022 and the crypto market may have just witnessed its biggest DeFi attack of the year. A few hours ago, an unidentified hacker quickly crept under the Ethereum-Solana bridge (typically used to facilitate seamless transactions between ETH and SOL holders) stealing close to $320 million as at last valuation.
Wormhole Crypto, the official Twitter account behind the SOL-ETH interoperability protocol, has come out to confirm the attack, adding that it would replace all 120k wrapped Ethereum tied to several Ethereum users and bear the losses thereof. It has also offered the hacker a $10 million white hat bounty to return all the stolen digital assets. Here’s a scoop about what may have made the attack a successful one.
An unfixed glitch in the bridge protocol likely cause
Since the news of the hack, many top analysts have tried to reverse engineer the attacker’s process in stealing close to 120kwETH. wETH is an ERC-20 1:1 version of ETH that helps holders complete transactions with other tokens linked to or domiciled in the Ethereum blockchain. Like fiat currency backed by gold reserves, each wETH is backed by a corresponding ETH and is equal in value. To facilitate transactions on blockchain networks like Solana, a user would typically have to deposit ETH and proceed with the equivalent number of wETH.
According to pro-Wormhole analysts on Twitter, the bug which was exploited by the hacker had been published on Solana’s GitHub open source repository since mid-January, and its remedy was given days after, but the team of developers had delayed its implementation until the attack.
Allegedly taking cognizance of this unresolved flaw, the attacker had successfully minted close to 120k fake ETHs, taking advantage of the unpatched bug to trick the Solana security verification system into acceptance. With the fake deposit now certified as real, all the hacker had left to do was to withdraw the equivalent amount of real ETH from the bridge protocol and transfer it to untracked recipients.
Speed vs. Security
All the news about Solana being better than Ethereum is hinged on its speed and not on its security. The latest attack has shown how much the network holds its ~55,000 transactions-per-second record in high esteem, neglecting the catastrophic losses that could come with poor user safety.
Back in September and more recently in December, it had suffered repeated DDOS attacks, causing close to 17 hours of network shutdown. Yesterday, the network was in the news for the launch of its Solana Pay protocol, spurring a brief gain past the $100 mark. Today, all such gains totaling close to 12% have been eroded as it sits sullenly at $96.76.
Crypto competence gets dragged
It is too early to tell if the attacker will choose to sacrifice $220 million of his bounty, but the entirety of the current circumstance casts a shadow on the cryptocurrency market. Especially for investors who find little attractiveness in such outrageous risk. Cases like these win points for the argument against open source reliability and decentralization especially considering the volume of transactions involved. The Geneva-based token will have to do more than just outrun Ethereum transaction speed to keep and attract new users.