Security Firm CertiK Detects $5M Security Flaw in Cross-Chain Bridge Wormhole
In the case of Wormhole, users typically send Ether (ETH) to the protocol, where it is held as collateral, and are issued WeETH on Solana, backed by that collateral locked in the Wormhole contract on Ethereum
Security firm CertiK has detected and prevented a flaw in the cross-chain bridge Wormhole, which could have led to $5 million worth of losses. In a social media post, CertiK's research team found a critical bug in Wormhole, an incorrect application of the public and entry modifiers exposing the blockchain to potential multimillion-dollar exploits. In a short video explainer, CertiK demonstrates how it identified the flaw in the network.
This case study highlights the importance of proactive security practices and celebrates the power of open-source software in raising security and transparency standards across the Web3 world. Wormhole supports the transfer of tokens and data across different blockchain networks.
The crypto project was spun off by Jump Trading Group and is one of the most popular bridges connecting the Ethereum and Solana blockchains. In 2022, Wormhole experienced the largest DeFi attack, losing about $321 million in an exploit. Hackers compromised Wormhole Bridge, resulting in a loss of 120,000 wETH, equivalent to $321 million. This was the largest DeFi attack of 2022, and the hacker swapped wETH tokens with Ethereum, SOL, USDC, APE, SX, etc. An investigation conducted by pseudonymous researcher Pland, detailed in an X post on April 4th, revealed that the Wormhole team overlooked excluding several wallet addresses associated with the exploit that drained $321 million in crypto from the cross-chain bridge.
To understand why the 2022 attack was more serious than the average hack, it is essential to comprehend how cross-chain bridges function. "Users interact with cross-chain bridges by sending funds in one asset to the bridge protocol, where those funds are then locked into the contract. The user is then issued equivalent funds of a parallel asset on the chain the protocol bridges to. In the case of Wormhole, users typically send Ether (ETH) to the protocol, where it is held as collateral, and are issued WeETH on Solana, backed by that collateral locked in the Wormhole contract on Ethereum," according to Chainalysis: Lessons from the Wormhole Exploit.
April 2024 saw the lowest combined losses from crypto-related hacks and scams, with CertiK reporting approximately $25.7 million lost to exploits, hacks, and scams. This latest figure represents the lowest recorded hacks since CertiK started tracking such incidents in 2021, as flash loan attacks and private critical hacks decreased.
