Behind the $325mm Blockchain Hack

Feb 3, 2022

There was a ~$325mm hack of a blockchain bridge called Wormhole yesterday. Even if you aren't interesting in crypto, interesting software development lessons to be learned from this one. What a bridge is, how it happened, and some structural weaknesses of the ecosystem that need to be addressed.

A bridge allows you to move your tokens cross chain. It's like being able to exchange dollar values for gift cards at two different stores.

First, you deposit your tokens in a wallet or contract on the source chain (let's say Ethereum). In the Wormhole case, a centralized service then watches those transactions and mints new "wrapped" tokens on the destination chain that are 1:1 with the sent token. When tokens are exchanged back, the "wrapped" tokens get destroyed.

Bridges are vulnerable to exploits on either side of the bridge. Exploits happen in all sorts of ways. In this case, there was an exploit in smart contract code the destination blockchain. There are much more elaborate hacks, but this one was a simple oversight:

if (condition1 == condition2)

the above returns true when condition1 and condition2 are false. The author really meant:

if (condition1 && condition2)

There are much more elaborate hacks: a 51% attack where you control 51% of the nodes in a blockchain and can reverse transactions (send a transaction, get tokens on the new blockchain, reverse the original transaction).

Some thoughts on the inherent weaknesses of the system:

  • Decentralized infrastructure is difficult to quickly and quietly patch. Even though most of Wormhole was actually centralized, the patch was sent before the hack (source). The attackers could have been monitoring the repository, looking for bug fixes to exploit before they were rolled out. Many times exploits are communicated to the company beforehand to be silently patched before released to the public. Who do you contact in a decentralized system?
  • Smart contracts have huge API surface areas, even when explicitly designed not to. From the lower level infrastructure, to end users simply writing incorrect logic, there are many places where you can go wrong. These even happen at the lowest levels in the most well-used software and hardware (see Spectre and Meltdown).
  • Irreversible transactions. Even though transactions are more simple to trace on blockchains (everything is public), they are irreversible by design. In the traditional finance system, mistakes do happen, but they can get reversed. Just because Chase accidentally shows millions of dollars in your bank account doesn't mean that you're rich.

In the end, the lost $325mm was actually made whole by Wormhole. We don't know who the mysterious backer is and there aren't many institutions that can cover this loss this quickly. Maybe this is the cost of doing business?