By Jeff Benson
Wormhole, a protocol that allows users to move their tokens and NFTs between Solana and Ethereum, has confirmed that it suffered an exploit of 120,000 Wrapped Ethereum, worth over $320 million—higher than the $250 million originally suspected.
"ETH will be added over the next hours to ensure wETH is backed 1:1," it posted on Twitter, adding: "We are working to get the network back up quickly."
Earlier on Wednesday, a post on Wormhole's Twitter account noted the network was "down for maintenance" due to a "potential exploit." But by that point the exploit, pointed out by Paradigm security researcher samczsun, appeared to be real. A message on the Ethereum blockchain, purportedly from Wormhole, states: "We noticed that you were able to exploit the Solana VAA verification and mint tokens. We would like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you have minted."
VAA stands for "validator action approval," and refers to the process by which transactions get approved.
The message means that Wormhole assumes with a wink and nod that the hacker acted in good faith. In return, it will give them $10 million for pointing out a vulnerability. But it wants its quarter-billion back.
Wormhole has not yet responded to a Decrypt request for comment.
In addition to connecting Ethereum and Solana, Wormhole also works with Avalanche, Binance Smart Chain, Oasis, Polygon, and Terra. It allows users of one chain to take "wrapped" assets and use them on another chain, often so they can take advantage of lower fees or different applications across networks.
But to get their Ethereum into Solana, they must first lock it into a smart contract and then get an equivalent amount in Wrapped Ethereum. They can then trade WETH for Solana-based tokens. If the message above is accurate, the hacker was able to short-circuit this and mint WETH without keeping ETH locked up.
Editor's Note: This article has been updated to include Wormhole's confirmation of the exploit as well as the revised figure of $320 million.