Image: Edwin Tan/GettyImages
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
Advertisement
Advertisement
In a message posted on the Ethereum blockchain, an address seemingly connected to Certus One offered the hackers a bounty of $10 million if they return the money. The message was spotted by Tom Robinson, the chief scientist at blockchain analysis firm Elliptic, and the address it came from interacts regularly with Wormhole smart contracts. Motherboard could not confirm the connection further. "This is the Wormhole Deployer: We noticed you were able to exploit the Solana VAA verification and mint tokens," the message read. "We'd like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you've minted. You can reach out to us at contact@certus.one."
Certus One and its parent company Jump Crypto did not immediately respond to a request for comment. The Wormhole hack is another black eye for the DeFi ecosystem, which is a subset of the cryptocurrency industry focused on more complex forms of investing that simply buying and holding; "staking" and "liquidity farming" are common ways of making a buck, and cross-chain protocols like Wormhole have become a core part of that emerging ecosystem. They've also become targets for hackers. “Bridge projects, ‘moving’ tokens and coins from one blockchain to another, seems to be more vulnerable to attacks as they don't move the tokens themselves, but instead move data across chains that indicate such transfer is due,” Tal Be’ery, a cybersecurity expert and the CTO of the crypto wallet app ZenGo, told Motherboard in an online chat. “If there is an error or vulnerability there, the attacker can ‘print’ money.”Last month, cross-chain protocol Multichain was exploited by multiple hackers who stole $3 million from users. The project successfully recovered funds from a self-proclaimed “white hat” hacker after the company exchanged messages with the hacker on the blockchain. Last year, a hacker stole around $600 million from the cross-blockchain cryptocurrency platform Poly Network, and later returned it after the company posted several messages on the blockchain calling the hacker “Mr. White Hat” and even offering them a job. In the end, the hacker actually returned all the money. Will Wormhole be as lucky? Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.Do you have any information about this hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com