WormHole bridge hack: Can DeFi blockchain technology be trusted after second largest cryptocurrency theft?
The second largest hack in decentralised finance (DeFi) occurred last week in an attack that stole $320 million, or 120,000 Ethereums, highlighting the growing trend of attacks on cryptocurrency platforms and security concerns.
Wormhole, one of the most popular bridges linking the Ethereum and Solana blockchains, was hacked on Wednesday.
This is not the first time such a theft has occurred. For example, the week before this attack, hackers stole $80 million from the DeFi Qubit Finance protocol.
The largest hack took place last August, when $600 million worth of tokens were stolen from the Poly Network platform, but strangely enough, the hackers later returned almost all of the money, as their goal was to expose flaws in the system.
The hacks raise questions about the security of DeFi, an emerging financial technology that features programmable pieces of code called "Smart Contracts" that can replace intermediaries like banks and lawyers in transactions.
What is a bridge?
A bridge, or gateway, is a protocol that allows users to move assets such as cryptocurrencies, tokens and NFTs between different blockchains. It works by locking digital assets on one blockchain to produce a copy on the second.
Cryptocurrency holders do not typically operate in a single blockchain ecosystem, so developers have created bridges to fill the gap.
Wormhole has locked in more than $1 billion (€875 billion) in total value and supports six blockchains: Terra, Solana, Ethereum, Binance Smart Chain, Avalanche and Polygon.
How did the piracy happen?
"A bridge hack occurs when a vulnerability is identified and exploited within the contract linking the two different blockchains," said Nicholas Percoco, head of security at Kraken, a US-based cryptocurrency exchange-enabling bank.
"In this case, the Wormhole bridge, which enables transactions between Solana and Ethereum, was targeted. An attacker was able to create new tokens on the Solana side of the bridge and drain the balance on the Ethereum side of the bridge, which is equivalent to more than $320 million," he told Euronews Next.
According to Dr Merav Ozair, blockchain expert and professor of FinTech at Rutgers Business School in New Jersey, USA, the hack occurred on Layer 2, not Layer 1, so it was not the cryptocurrencies themselves that were hacked.
Layer 1 is the term used to describe the main underlying architecture of the blockchain (i.e. a blockchain, like Ethereum or Solana, Avalanche or Binance Smart Chain). The expert says that layer 1 is almost impossible to hack.
But she also explains that layer 2, the overlay network that sits on top of the underlying blockchain (such as the Wormhole bridge), is less secure and therefore more vulnerable to exploitation due to programming errors.
"Therefore, the solution should be to create more secure blockchain bridges that protect against potential attacks.
Should blockchain become more secure?
Blockchain is a technology that, like others, can be susceptible to programming errors and can be exploited, as seen with Wormhole.
"High-level attacks, such as this one, reinforce the importance for the wider crypto ecosystem to prioritise a security mindset and remain vigilant," said Percoco.
"Criminals are constantly looking for new attack vectors and vulnerabilities, which means that investment in security protocols is necessary and these need to be constantly updated. We expect the spotlight on this event to focus the attention of cybersecurity teams on the entire blockchain ecosystem and result in more robust protocols in the future," he added.
Because of the risks, Ozair said she had argued for a mechanism to audit applications before they are fully launched. This mechanism already exists in centralised systems, such as in Apple's apps.
"The blockchain ecosystem, if it wants to expand and become mainstream, needs to understand how an audit mechanism can be implemented in decentralised applications or platforms," she said.
She believes that "it can be done", but will require a lot of thought and collaboration from all members of the blockchain ecosystem.
Author: Lorenzo Felici