Rapture #130: The Bridge Exploits Begin

Just as the crypto market was reacting to the earnings miss by FB in after hours, which led to a 22.8% drop in FB so far, another bearish event hit the market: Wormhole, a popular Solana bridge, was exploited. It will be interesting to see if this exploit does any near term damage to SOL (already down approximately 10% so far) or if it will be shrugged off like many DeFi exploits are on Ethereum.

Wormhole Exploit

An exploit was executed on Wormhole to the tune of more than $326 million. Currently, the attacker holds  more than $250 million worth of ETH in an Ethereum address, which can be seen here, and also another 40,000 ETH on Solana.

If you want a detailed technical walkthrough of how the attack was executed, you can find it here. In summary, the attacker was able to make it seem like the guardians on Wormhole approved a transaction to deposit 120k worth of ETH. Since it looked like the guardians approved the deposit, the deposit was treated as real even though it was not, which allowed the exploiter to actually withdraw 120k ETH since the system credited the user with originally depositing 120k ETH.

Many have been sounding the alarm that this exploit could have a cascading negative effect throughout the DeFi ecosystem on Solana, considering a significant amount of ETH used as collateral effectively lost its backing when the bridge was exploited.

Yet Wormhole has assured the market that ETH will be added over the next hours to ensure wETH is still backed 1:1, which so far has prevented a potential DeFi implosion from happening on Solana. Rumors are that Jump Capital, Alameda Research, and/or SBF might have moved quickly in order to ensure the wETH remained back to prevent a systematic implosion of DeFi on Solana. Wealthy private financial institutions and individual financiers stepping in to save markets was a staple of the early markets here in the US, until many lost their hats trying to prop up stocks during the beginning of the Great Depression.

Industry Leaders Predicted These Problems

Issues with bridges were not an unforeseen issue. In fact, Vitalik Buterin called out the risk of exploits to bridges not 26 days ago in a Reddit post. While Vitalik mostly was calling attention to the potential of how 51% attacks could cause cross-chain assets to lose their backing, his logic rings true in situations like the Wormhole exploit as well. At the end of the day, since the ETH held in reserve was stolen, the tokenized ETH on Solana is no longer fully backed.

Clearly, this exploit and Vitalik’s warning displays some of the pitfalls of a cross-chain world.

Takeaway

This exploit will likely be the first of many. Bridges often hold hundreds of millions to billions of dollars’ worth of assets, making them the most attractive honey pot for any exploiter.

Since these bridges are relatively new (generally less than 1.5 years old), they have not been robustly tested by an adverse environment.

Disclaimer:

The Content on this email is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on this site constitutes a solicitation, recommendation, endorsement, or offer by Rapture Associates or Mattison Asher or any third party service provider to buy or sell any securities or other financial instruments in this or in in any other jurisdiction in which such solicitation or offer would be unlawful under the securities laws of such jurisdiction.

All Content on this site is information of a general nature and does not address the circumstances of any particular individual or entity. Nothing in the Site constitutes professional and/or financial advice, nor does any information on the Site constitute a comprehensive or complete statement of the matters discussed or the law relating thereto. You alone assume the sole responsibility of evaluating the merits and risks associated with the use of any information or other Content on the Site before making any decisions based on such information or other Content. In exchange for using the Site, you agree not to hold Rapture Associates, Mattison Asher, and  its affiliates or any third party service provider liable for any possible claim for damages arising from any decision you make based on information or other Content made available to you through the Site.