How $323M in crypto was stolen from a blockchain bridge called Wormhole

[poochyena]

Summary

 

Hackers stole more than $323 million in cryptocurrency by exploiting a vulnerability in Wormhole, a Web-based service that allows inter-blockchain transactions. Wormhole lets people move digital coins tied to one blockchain over to a different blockchain; such blockchain bridges are particularly useful for decentralized finance (DeFi) services that operate on two or more chains, often with vastly different protocols, rules, and processes. 

The haul is the fourth-biggest cryptocurrency theft of all time, according to this roundup from Statista, just behind the $480 million stolen from Mt. Gox in 2014, the $547 million taken from Coincheck in 2018, and the $611 million snatched from Polynetwork last year (this record-setting amount was later returned by the thief).

In 2021, losses from cryptocurrency thefts totaled $10.5 billion, according to Elliptic, up from $1.5 billion the year before.

 

Quotes

Quote

The hackers pulled off the theft by using an earlier transaction to create a signatureset, which is a type of credential. With this, they created a VAA, or validator action approval, which is essentially a certificate needed for approving transactions.

“Once they had the fake 'signatureset,' it was trivial to use it to generate a valid VAA and trigger an unauthorized mint to their own account,” @samczsun, the Twitter handle for an employee at investment firm Paradigm, wrote. “The rest is history. tl;dr—Wormhole didn't properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.”

 

My thoughts

This is what unregulated "currency" gets you I guess. I knew this happened a few times, but didn't realize just how common large scale crypto theft really is.

 

Sources

https://arstechnica.com/information-technology/2022/02/how-323-million-in-crypto-was-stolen-from-a-blockchain-bridge-called-wormhole/

[MistahHaskins]

Cryptobros takes another L

[Lightwreather]

42 minutes ago, poochyena said:

This is what unregulated "currency" gets you I guess.

So, uh, this isn't related to regulation.

From what I can tell this has to do with bad code and security exploits. This is all too common with many cryptocurrencies sadly.

 

[Eigenvektor]

18 minutes ago, J-from-Nucleon said:

So, uh, this isn't related to regulation.

From what I can tell this has to do with bad code and security exploits. This is all too common with many cryptocurrencies sadly.

In a sense, it is. In an environment with regulations bad code like this most likely wouldn't have gone into production in the first place. There's a reason why traditional banks are risk averse and very conservative when it comes to new technologies. Banks are also subject to regular (security) audits meant to find any issues before they can affect customers.

 

~edit: To put this into perspective.

 

Imagine walking into a bank with a (forged) document that says: "Please transfer $300M into Eigenvektor's bank account. They have deposited the appropriate amount of Gold into our vaults. Signed: The Manager"

 

This is essentially the real world equivalent of what those hackers did.

 

Ask yourself this: Would the teller simply do as asked? I'm pretty sure this document would be checked by more than one person, there would be multiple checks to ensure the Gold is actually in their vault, and so on. A transaction of this size would never happen automatically nor would it happen in one go, precisely because there are regulations in place. But this Bridge did exactly as asked without a second thought or any kind of oversight, because transferring such a sum is nothing out of the ordinary, right?

[leadeater]

Isn't it so great that crypto is decentralized, it's perfect in every way 

 

It's like the ye olde wild west from the past with bank heists, train robberies etc but the digital format of this. I honestly think with what we know of the past, the technology we have that this being a possibility with a new "superior" currency model is just an outright complete an utter failure.

 

The fact that this is happening, not could happen, completely voids any and all arguments for why crypto or anything like it is a good idea. It will get better, improvements will come, adoption is the answer etc etc blah blah is not the answer, never adopt or transition or something known to be so utterly flawed. Fixes come first not after.

[leadeater]

1 hour ago, J-from-Nucleon said:

So, uh, this isn't related to regulation.

From what I can tell this has to do with bad code and security exploits. This is all too common with many cryptocurrencies sadly.

 

Regulation makes sure this does not exist or happen, and if on the very small off chance it does are held liable. How many "bank error in your favor" has happened in the past many decades? Additionally of any that did how many were able to be tracked and resolved?

[mr moose]

1 minute ago, leadeater said:

It's like the ye old wild west from the past with bank heists, train robberies etc but the digital format of this.

 

 

Stick up them there firewalls buddy this is a hold up.   Ye ju st be n'sure you decrypt that there gold before'n you hand it over ye hear? We don't want no mistakes now do we?

 

 

 

Crypto, the best thing since straight up gold for heists, ransoms and general  criminal activity.

 

 

 

[Beerzerker]

9 minutes ago, mr moose said:

 

Stick up them there firewalls buddy this is a hold up.   Ye ju st be n'sure you decrypt that there gold before'n you hand it over ye hear? We don't want no mistakes now do we?

 

 

 

Crypto, the best thing since straight up gold for heists, ransoms and general  criminal activity.

 

 

 

Amen to that!

The preferred way to pay.......
Off your local dealer, mobster or anyone else of this nature you want or need to.
And it launders so nice and clean too!

No wonder there were reports the creator of it was in hiding almost from the start and in truth, no one really knows "Who" the guy was or even if it was ever a singular individual aside from the guy(s) themselves.
Satoshi Nakamoto - Wikipedia

No way I'd put any trust into something so shady, so I don't.

[poochyena]

8 hours ago, J-from-Nucleon said:

So, uh, this isn't related to regulation.

From what I can tell this has to do with bad code and security exploits. This is all too common with many cryptocurrencies sadly.

 

Banks are insured, back by the government. If someone robs your local bank, you will still have all your money. It also means the government will go after the people who rob the bank. Whose going to go after people who steal crypto? No one, that what makes it such a great target.

[TetraSky]

Another week, another crypto theft... And somehow the crypto bros are fine with that and still defend it.

 

Imagine if banks were getting raided like that and you actually lost your money each time instead of it being insured. All hell would break loose.

[COAGULOPATH]

A lot of blockchain stuff is programmed by 20 year olds who don't know what they're doing. 

 

There was once an ethereum "smart" casino where the random number generator had the seed visible in the code, so anyone could recreate the precise sequence of random numbers and steal the money. Or a smart contract where a bug meant withdrawals could be called recursively at no cost (causing a loss of $50 million). Some of these things are so wide-open its difficult to even call it theft - they're like 100 dollar bills lying on the sidewalk.

[Error 52]

The name "Wormhole" is fitting because that's where you're throwing your money when you use these things

[jagdtigger]

Was it really a hack and not the collection of the plunder by the top of the pyramid?

[Arika]

Man, I'm sure glad people think the blockchain is going to replace everything someday. I really look forward to people stealing things I don't actually own

[PocketNerd]

Guess the devs forgot that Wormholes can collapse or are otherwise unstable

[Heliian]

I also read an article somewhere about north Korea being responsible for a few hundred million in crypto theft. So innovative. 

[poochyena]

22 minutes ago, Heliian said:

I also read an article somewhere about north Korea being responsible for a few hundred million in crypto theft. So innovative. 

Yep, arstechnica wrote about that too. Turns out drug dealers aren't the only criminals interested in crypto!

[Elijah Kamski]

Could've been better spent on in game skins.

[leadeater]

4 hours ago, Arika S said:

Man, I'm sure glad people think the blockchain is going to replace everything someday. I really look forward to people stealing things I don't actually own

But that is exactly why everything you own needs to be backed by a NFT, so you can "prove" that you own it. So wherever it's been taken after it's stolen you can be safe and sound in the knowledge that you still "own it" lol

[Arika]

8 minutes ago, leadeater said:

But that is exactly why everything you own needs to be backed by a NFT, so you can "prove" that you own it. So wherever it's been taken after it's stolen you can be safe and sound in the knowledge that you still "own it" lol

 

 

Its like getting your car stolen, going to the theif and showing them the title of ownership and saying "give it back, see it says i own it".