Uncover the story behind the 'Biggest Heist Ever' — a gripping new Netflix documentary! Watch the trailer.

Solana Wormhole Compromise: 120k Wrapped ETH Stolen

TRM InsightsTRM Investigations
Solana Wormhole Compromise: 120k Wrapped ETH Stolen

What happened

On February 2, at least 120,000 Wrapped ETH worth over $324 million were stolen in a compromise of the Wormhole service, a cross-chain bridge that allows the trading of assets between Solana and several other blockchains. Approximately 93,750 of these WETH have been transferred to a single address on the Ethereum blockchain and are sitting unspent. The initial ETH used to launch the attack was sourced from Tornado.cash, an anonymizing/mixing service.

Graph: TRM Labs

In response to the theft, the Wormhole team attempted to contact the hacker via messages embedded in Ethereum transactions, offering a $10 million bounty for the return of the stolen funds. No response from the hacker has yet been noted. Should the hacker choose to spurn Wormhole’s offer and keep the entire haul of stolen ETH, the next destination for the funds is most likely Tornado.cash, which has become the mixer of choice for hackers on account-based blockchains.

Several analyses of Wormhole’s contracts have identified the errors which allowed the hack to take place.  In essence, the hacker was able to bypass a signature verification step in Wormhole’s contracts, effectively spoofing authority to deposit the 120k WETH into Wormhole on Solana. The flaw has since been patched and Wormhole has been restored after the service announced it had secured enough ETH to back its WETH on a 1:1 basis.

TRM’s cross-chain platform uniquely allows investigators and analysts to view compromises like this as they occur. Assets on Solana and Ethereum can be viewed side-by-side — in the same graph. Cross-chain swaps, like those that bridged the stolen WETH from Solana to Ethereum, can be plotted automatically and in real-time, radically reducing the time needed to understand and respond to complex attacks like this.

Addresses associated with the exploit are live in the TRM platform so that TRM customers can manage exposure. TRM will continue to monitor the stolen funds in support of fund recovery efforts. Questions? investigations@trmlabs.com

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.