By: John Gillies
Wormhole is a bridge for cryptocurrency transactions in the ever-evolving decentralized finance space (“DeFi”). Cryptocurrency connoisseurs will tell you that Wormhole is a very apt name for the product, as $323 million was exploited by a hacker, seemingly disappearing down a “wormhole” on February 2, 2022. While users have been made whole again by the company, this hack (surprisingly not the largest cryptocurrency heist to date) demonstrates that not all the kinks have been worked out in the cryptocurrency space.
Cryptocurrency users wishing to transfer their tokens from one blockchain to another use a bridge, like Wormhole, which locks the assets and “mints” a “wrapped” token on the blockchain which the user chooses to send their funds to. Minting a token is essentially a validation mechanism and is meant to be a core security feature for cryptocurrencies. The hack attacked a vulnerability in the bridge between the Solana and Ethereum blockchains, which allowed an attacker to “mint” new tokens on the Solana side of the bridge and drain the balance from the Ethereum side of the bridge.
Wormhole creates bridges between blockchain networks, and supports six blockchains: Terra, Solana, Ethereum, Binance Smart Chain, Avalanche, and Polygon. The bridges function as a sort of currency exchange. Bridges help facilitate conversions between the various cryptocurrencies, and Wormhole facilitates conversions between any combination of those six blockchain networks. Most users of cryptocurrency do not solely use one form of cryptocurrency, they use multiple, creating the need for these bridge networks. It is the same general concept as exchanging dollars for euros at the bank, except with different cryptocurrencies in the DeFi space.
In the cryptocurrency world, standard transfers across bridges are performed with smart contracts. Typically, there is one smart contract on each blockchain (as is the case for Solana and for Ethereum). Wormhole, when operating properly, takes the coin on one side and locks it into a smart contract on that blockchain. A smart contract on the other side of the bridge then issues a token, worth the same value, that was just converted into the form of a different token.
Wormhole, upon realizing the extent of the hack, put out a notice on twitter that it was adding Ethereum, to ensure that the “wrapped” Ethereum was backed 1:1. This statement, reflected an effort to mitigate the diffusion of this issue across the entire cryptocurrency market. Wormhole also offered the hacker a “Whitehat Agreement,” which is a new phenomenon in the cryptocurrency space. A White Hat hacker is a someone who is hacking specifically to search for vulnerabilities in an organization’s system. They consider themselves to be ethical, hacking only to determine where companies are exposed for attacks. In August of 2021, hackers stole roughly $600 million from the Poly Network(another bridge). The network offered to let the hacker keep $500,000 as a “bug bounty,” (a reward for identifying a weak point in its code), and invited the hacker to become its chief security advisor. The hacker accepted the bug bounty but has not yet accepted the job offer.
The bug bounty offered by Wormhole is significantly more substantial than the one offered by the Poly Network. In a message embedded in an Ethereum transaction sent to the attackers account, Wormhole officials wrote, “We’d like to offer you a whitehat agreement, and present you with a bounty of $10 million for exploit details, and returning the wETH you’ve minted.” The thought process is that taking the offer removes the heat from authorities and eliminates the headache of having to launder the money. It remains to be seen if this hacker will take the deal like the Poly Network hacker did.
While there are White Hat Hackers who claim their mission is to simply expose flaws and improve security, there are still malintent hackers and scammers. In 2021, “about $2.2 billion was stolen from DeFi protocols due to vulnerabilities . . . and an additional $10 billion was lost due to scams.” This flies directly in the face of what cryptocurrency enthusiasts like the most about the new form of commerce, specifically the “general perception that the blockchain itself is secure and unbreakable,” which “translates into an overabundance of faith in the services that operate on top of it[.]” This perception from the public is particularly problematic, because the cryptocurrency world is “an immature industry using immature code, and like all new industries, it is moving ahead at warp speed, good security be damned.”
Cryptocurrency certainly has the potential to change the financial world in a massive way, but the decentralized aspect which is so fundamental to the industry is also what could potentially be its downfall. The appeal, as a financial institution entirely removed from government oversight, also removes companies from the scrutiny of regulators and law enforcement. It remains to be seen if the crypto industry will make the adjustments necessary to avoid such large hacks, and thrive in a space free from regulations and law enforcement.
Student Bio: John Gillies is a second-year law student at Suffolk University Law School. He is a staffer on the Journal of High Technology Law. John received a Bachelor of Arts Degree in Sociology from the University of Connecticut.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.
