A recent breach that resulted in a loss of about $320 million in crypto assets illustrates the security challenges and vulnerabilities that decentralized finance (DeFi) projects continue to struggle with, even as they experience rapid growth. The Wormhole network fell victim to a signature verification attack, the sort of code-level vulnerability that investors need to be wary of as they trust unregulated platforms with large sums of money.
Wormhole network breach sets record for DeFi losses
The attack on the Wormhole network was the second large-scale theft from a DeFi project in 2022, coming just weeks after the Qubit trading platform lost $80 million in crypto to a threat actor. At a loss of $320 million, it is also the second largest attack on a DeFi project in history; though technically it could be considered the largest in terms of actual money lost, as the $600 million stolen from Poly Network in 2021 was almost completely recovered.
DeFi projects attract investors because of the lack of government oversight, but that “Wild West” state of affairs creates obvious security concerns. The investor is putting their trust in not only the internal honesty and competence of its staff, but that its code is also secure.
Cyber criminals have certainly noticed that this is not always the case, taking over $2 billion from these platforms by finding and exploiting vulnerabilities in 2021. Five times that amount was stolen in scams, usually involving either phishing from the outside or dishonesty by insiders. Wormhole network is hardly unique in being hit this way, but is one of the more egregious examples as it takes a place as one of the five largest cryptocurrency breaches (not just DeFi platforms) in history.
So what exactly happened? The attacker exploited Wormhole network’s unique status as a “bridge” between the Solona blockchain and a variety of other DeFi projects. This status allowed Wormhole to hold Solana wETH tokens not yet tied to Ethereum deposits in other places. A signature verification vulnerability allowed an attacker to make this connection, bridging these tokens to Ether at their end in order to steal them.
DeFi projects have little recourse when code is breached
DeFi projects have generally been good about quickly patching code when vulnerabilities are found, but recovering stolen money is another story entirely.
As the prior Poly Network incident demonstrates, the most effective approach is usually to reach out to the attacker and offer them a “white hat” arrangement; in other words, a bribe to return the money and play the situation off as a “security demonstration.” This did not appear to work for Wormhole, which is instead offering a $10 million bounty for information leading to the culprit or recovery of the funds. The platform also introduced a bug bounty program in response to this incident.
The trouble with this approach is that, in certain jurisdictions, such payments could be illegal. This would draw the attention of regulators, something that these platforms specifically want to avoid. Innovation in the way crypto wallets handle tokens and reputable third party security evaluations might help perceptions of DeFi security in the near term, but investors will have to continue to accept considerable risks.