The danger of DeFi cross-chain bridges is demonstrated by a wormhole exploit

Questions regarding the Solana ecosystem and cross-chain protocols have arisen as a result of the second-largest decentralised finance heist to yet.

Since its formal introduction in March 2020, Solana has been one of the fastest-growing smart contract blockchain networks.

According to data from DefiLlama, the total value locked (TVL) on the network’s decentralised finance (DeFi) protocols increased from almost $152 million in March 2021 to $8.08 billion at the time of writing.

image 2022 02 16T17 17 11 911Z e1645032503427

Simultaneously, the network has experienced a number of problems and outages. Most recently, on Feb. 3, the Wormhole token bridge was hacked, resulting in the loss of 120,000 wrapped Ether (wETH) tokens, valued at over $375 million at the current Ether price (ETH).

Following the Poly Network hack, in which over $600 million was taken from three distinct blockchain networks when an Ethereum bridge was compromised, this exploit was the largest in 2022 and the second largest DeFi hack ever.

Wormhole is a token bridge technology that bridges Ethereum, Solana, Terra, BNB Smart Chain, Polygon, Avalanche, and Oasis blockchain networks. It allows users to send and receive tokens between different networks without requiring a centralised exchange or time-consuming conversion procedures. While wrapped Ether was the sole asset affected by the exploit, Certik, a smart contract auditing firm, stated that Wormhole’s bridge to the Terra blockchain network may be vulnerable to the same flaw as the Solana bridge.

The token bridging protocol has published a full incident report detailing the timeline of the hack as well as all related factors such as security audits, bug bounties, and the security roadmap. Max Galka, the CEO of blockchain data analytics startup Elementus, He stated. ”


“About three hours before the Ether was taken from Wormhole, a smaller transaction from Tornado Cash — a mixer that anonymizes transactions — was transferred into the wallet that is currently holding the stolen funds.” A transfer was made from an Ethereum mixer to the wallet that now holds the stolen cash.”

Galka went on to say that while it’s understandable why the hacker would try Tornado Cash in the first place, it’s less clear why they would utilise the mixer to deposit funds into the same wallet before launching a large attack.

Wormhole then partnered with Immunefi to launch a bug bounty programme on February 12th, offering a $10 million reward for smart contracts, web user interface (UI), guardian nodes, and Wormhole integrations. This puts it on par with Maker DAO’s bug bounty programme as the largest bug bounty programme in the cryptoverse.

Jump Crypto, the crypto investment arm of trading business Jump Trading, has stepped in to “make the community members whole,” according to one of the primary investors in Wormhole. The venture capital firm has replaced the 120,000 ETH and declared on Twitter the same day as the attack that it believes in a multichain future and that Wormhole is critical infrastructure for that future.


Cross-chain activity raises security problems.

In a Reddit AMA session with the Ethereum Foundation’s Research Team, Vitalik Buterin, a co-founder of Ethereum, stated that the future of blockchain technology is multichain, not cross-chain. Buterin justified this by citing security worries about bridges and non-native token assets, as well as the likelihood of 51 percent assaults. “Holding Ethereum-native assets on Ethereum or Solana-native assets on Solana is always safer than holding Ethereum-native assets on Solana or Solana-native assets on Ethereum,” he stated.

Jagdeep Sidhu, the chief technology officer of Syscoin, a proof-of-work (PoW) blockchain network that is “merged-mined” with Bitcoin. “He simply means that wherever there is a blockchain, there is a zone-of-sovereignty within that chain that has free will over the blockchain’s security,” he explained. When blocks, for example, roll back, all systems that rely on the chain’s security likewise roll back. As a result, when building cross-chain bridges, you must either assume a new consensus system that will watch for and respond to rollbacks, or cautiously wait around the possibility of a rollback, depending on the transaction’s value.”


The Wormhole hack, according to Sidhu, demonstrated the difficulties of developing cross-chain trading and bridging because the attack was only possible because of an externality created by the Solana team, which rendered a certain operation in the consensus code legacy. The hacker was able to exploit a vulnerability in Wormhole’s logic as a result of this operation.


Despite the fact that this hack targeted a cross-chain bridge, it’s worth noting that this was a smart contract exploit, which has been there for as long as smart contracts have been. According to Galka,


“Since the very early days of Ethereum, when The DAO was attacked in 2016, smart contracts have had a fairly steady stream of vulnerabilities and hacks.” Cross-chain bridge contracts, on the whole, have big sums, making them prime targets. Smart contracts have always been vulnerable to hacking. That is something I expect to continue.”

Anton Bukov, co-founder of the 1inch Network, a DEX aggregator, about this element of the breach, and he said the cause was a low-level smart contract flaw. It has something to do with Solana’s precompiled smart contract calling methodology. He pointed out that the issue fix had been accessible for more than two weeks on the interoperability protocol’s GitHub repository before the breach.


The exploiter may have been able to identify the hack because the remedy was made public. Buterin’s concerns about cross-chain activities were shared by Bukov, who remarked, “Cross-chain operations are considerably more risky and vulnerable than any other blockchain operations.”


Rollups with no prior knowledge

Despite Solana’s fast development in the short period since its introduction, the network is becoming increasingly prone to problems as more people join. The network had a rough start to the year, with six network failures in January, causing widespread discontent among its users.

Solana, like all other alternative smart contract networks, has a monolithic architecture that doesn’t allow for economies of scale, according to Sidhu. As a result, as more people join the network, the fees and resources required to keep it stable, secure, and decentralised will rise.


“The greatest method we know to grow is through a modular architecture,” he stated, suggesting a solution to this looming problem. Due to the creation of great scaling solutions such as optimistic and zero-knowledge proof based rollups, Ethereum and several other blockchains such as Syscoin are shifting toward this.”

Sidhu stated that the ideal method for cross-chaining assets is to use zero-knowledge (ZK) proofs as a better alternative to having the pool of money rest on an external consensus such as a multi-party protocol, which requires an honest majority assumption of external validators. External consensus would be replaced with mathematical validity proofs if ZK-proofs were used.


He did note, however, that none of the alternatives are as secure as employing a dependable layer 1. “A ZK bridge is an interesting upgrade to cross-chain bridging,” he continued, “but I do not believe it should be utilised as a generic cross-chain DeFi ecosystem, as it cannot give as much security as simply utilising a secure layer 1 by definition.”


Bukov speculated that this vulnerability may be duplicated using bridges on other blockchain networks:

“In the past, there have been instances of one party abusing code, followed by copycats capitalising on the initial attack.” The core code of a number of multisignature Ethereum wallets was compromised in 2017. In this case, other actors exploited the same vulnerability and carried out a series of follow-up hacks.”

This hack may serve as a warning to core developers of interoperable bridging protocols and other smart contract blockchain networks to exercise caution when dealing with cross-chain smart contracts and assets, and to work on regular updates, audits, bug bounties, and other methods to plug costly loopholes like these in their operations.


Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.

Leave a Comment

Your email address will not be published. Required fields are marked *


Recent Posts

Follow Us