Welcome to PYMNTS’ series on crypto crime. In it, we’ll be looking at the crimes that have not only been committed in the cryptocurrency industry but have defined it — especially bitcoin — in many people’s minds.
We’ll give you a look at the realities and the myths, the methods and tools and ways authorities and private-sector security companies starting to break through the mythical anonymity that many criminals — and honest people — believe shields their transactions.
Along the way, we’ll tell you some stories to illustrate. Some will be funny, some will be whimsical, some will be sad and a few will be horrifying. A whole lot of them will be hard to believe. But they’ll all be true — or at least what Watergate journalist Bob Woodward called “the best obtainable version of the truth.”
Read more:
PYMNTS Crypto Crime Series: When Privacy Counts, Crypto Users Turn to Mixing Services
PYMNTS Crypto Crime Series: In India Hacking Case, Bitcoin Trail Leads to Hamas
PYMNTS Crypto Crime Series: The Tale of QuadrigaCX, Canada’s Longest Crypto Ponzi Scheme
Blockchain transaction bridge Wormhole was hacked Wednesday (Feb. 2), losing $326 million in the largest crypto crime to date this year.
You’ll note we said “largest” because it is far from the first crypto theft of the year, which is only 34 days old. There was also the $80 million hack of decentralized finance (DeFi) platform Qubit Finance Jan. 27 and the $30 million Crypto.com exchange hack Jan. 20.
In other words, here we go again. Yet another massive hack of a DeFi platform as the broader crypto industry struggles to convince lawmakers and regulators like the Securities and Exchange Commission (SEC) that it is a safe and reliable place for people to keep their wealth.
What’s interesting about Wormhole is that it is a payments rail, a bridge allowing users to send messages and payments in one cryptocurrency to a decentralized application (DApp) on another without selling one cryptocurrency to buy another — Solana’a SOL tokens and Ethereum’s ether (ETH) in this case. This not only makes cross-chain payments faster and easier, it avoids the transaction fees going through an exchange would require.
The theft, in which a hacker exploited a flaw in the protocol that let the attacker create fake tokens on one chain and trade them for real ones on the other, is the fourth-largest crypto theft of all time, according to leading blockchain intelligence firm Elliptic. It involved 120,000 ether tokens, worth $326 million at the time.
Wormhole later announced that its funds had been “restored” — meaning replenished by its backers, not returned by the hacker. The security hole was fixed and the platform up and running.
Elliptic added that the Wormhole team has offered the attacker a $10 million bug bounty in what it described as a “whitehat agreement” — referring to white hat hackers who look for potential exploits and then inform the developers of them, looking for a reward rather than a way to steal like “black hat” hackers.
If all that sounded familiar, it’s probably because you read the first article in this PYMNTS series, about the $612 million hack of cross-chain protocol Poly Network, in which the attacker returned the funds in exchange for some ego stroking and a post-attack white hat bug bounty offer.
Read more: The $612 Million Heist That Wasn’t
What’s a Cross-Chain Bridge?
Wormhole and Poly Network work in largely the same way and provide largely the same service. They create a bridge that allows transactions between incompatible platforms built on different blockchains by “wrapping” one cryptocurrency in another. Let’s unpack that.
Wormhole is primarily a bridge between two popular DeFi blockchains, Ethereum and Solana, which Bank of America said has the potential to become the “Visa of the digital asset ecosystem.”
See more: BoA Sees Solana as ‘Visa’ of Digital Assets
Along with Cardano and Polkadot, Solana is one of the big three so-called “Ethereum Killers” looking to siphon off projects and platforms by offering faster, cheaper, more reliable transactions. While they can be used for any blockchain project, such as nonfungible tokens (NFTs) or supply chain management DApps, the lucrative and fast-growing DeFi industry is their primary focus. The problem is they are siloed, so a project built on one blockchain cannot interact directly with a project on another blockchain.
Read also: What Is Solana?
The way cross-chain bridges like Poly Network and Wormhole work is simple. Bill has 100 ETH tokens he wants to send to Bob on the Solana network. Rather than going to an exchange to sell and buy tokens, he turns to Wormhole. Bill deposits his 100 ETH with Wormhole, which trades them for “wrapped ether” or wETH. Those wETH — backed by the real ETH — are Solana-standard tokens that can be used like SOL on its blockchain. Once the transaction is done, Bob can take the wETH and trade them for the locked in ETH.
A wrapped token is in some ways a stablecoin in that its value is pegged one-to-one to an asset held in a reserve on the cross-chain bridge protocol. It can be redeemed at any time, by anyone. However, one wETH token does not equal one SOL token — Wormhole and similar projects take the exchange rate into account.
But the wrapped token does not just include the transfer of value. They can be used to send messages and data across blockchains, allowing projects to interact outside of their own blockchain silo.
The Wormhole Dilemma
What happened to Wormhole is that a flaw in the code was exploited by a hacker who was able to mint 120,000 wETH out of thin air and then promptly return them for ETH tokens.
While it’s not clear if the “white hat bug bounty” fiction will work a second time, the Wormhole offer is basically “you take $10 million that is legally yours, free and clear, and we won’t press charges on the $326 million in ether tokens that you return.”
That’s fine and dandy, except for three things: $10 million is a lot less than $326 million; there’s no guarantee Wormhole will honor its non-prosecution promise; and there’s even less of a guarantee that law enforcement will see the payoff as a bug bounty rather than extorted funds or will accept that giving back the funds negates the crime of their theft in the first place.
So, the newest Mr. White Hat — what Poly Network called its hacker — would still have to hide and launder his ill-gotten gains and protect his identity, but for a $316 million smaller payoff.