Yesterday, beginning at 18:24 UTC, someone or something exploited a security vulnerability on Wormhole, a tool that allows users to swap assets between Ethereum and a number of blockchains, resulting in the loss of 120,000 wrapped ether (or wETH, worth about $321 million) on the platform.
This is the second largest decentralized finance (DeFi) attack to date, according to rekt’s leaderboard, in an industry where security exploits are fairly common and part of users’ risk curve. There’s a whole business made out of code reviews, a lexicon of industry-specific jargon to explain what’s going on and something of a playbook to follow if and when “hacks” inevitably occur.
This article is excerpted from The Node, CoinDesk’s daily roundup of the most pivotal stories in blockchain and crypto news. You can subscribe to get the full newsletter here.
Wormhole, apart from catching and patching this bug earlier, has seemingly tried to do the right thing: They shut down the platform to prevent further losses, notified the public of what they know and announced Jump Trading is on the line to replenish the stolen coins.
Furthermore, in a move that’s becoming increasingly common, the Wormhole Deployer has posted an open message to the exploiter on Ethereum offering them a “white hat agreement” and $10 million for an explanation of the attack in exchange for the stolen funds.
Excuse the simile, but this is like waiting for a magician to pull a rabbit from a top hat. The world is waiting to see whether they’re dealing with a “white” or “black” hat hacker, terms meant to explain a hacker’s motivations. The reality is likely to be a little more gray.
Hacks vs. exploits
“Black hat hackers are criminals who break into computer networks with malicious intent,” according to Kaspersky security experts. They may use malware, steal passwords or exploit code as it’s written for “self-serving” or maybe “ideological” reasons. White hats, aka “ethical hackers” or “good hackers,” are the “antithesis.”“They exploit computer systems or networks to identify their security flaws so they can make recommendations for improvement,” Kaspersky writes.
Due to the way crypto networks are designed, it’s often unclear who it is you’re dealing with. Users exist as long strings of alphanumeric gibberish, and their past is reduced to a series of transactions connected with their address.
This system has some benefits. Even if platforms don’t “know” their “customers,” all transactions are recorded on-chain and anyone can “verify” which coins belong to whom. DeFi exploits are often dead ends: Exchanges, used as on and off-ramps to and from the crypto economy, can blacklist stolen funds, reducing those token’s utility and value to nothing.
That may explain why some of the most prominent exploits see masterminds return their bounties. For instance, last August, the Poly Network “hacker,” as they came to be referred to, returned nearly all of the $610 million worth of stolen crypto assets, and asked for people to see their exploit as a “white hat hack,” meant to bring awareness to a disastrous bug.
This might be rewriting history – a post hoc explanation for an attack that was ultimately poorly executed? It might be happening again: We don’t know the Wormhole exploiter’s motivations, but the bridge’s team seems to be asking that they eat the bug in exchange for a tidy $10 million.
In a sense, the system is set up in an attacker’s favor. When someone uses the code as it’s written, but not as intended, technologists will refer to that as an “exploit.” Code is given precedence above human action, so that human errors – like fat fingering a bad transaction or missing a gaping security hole – are explained as a natural process of the code.
An attack is only elevated to the level of a “hack” when the code is rewritten or broken. This is an important technological distinction, even though the terms likely stem from the gaming industry where “hacking” a game to gain an unfair advantage is often frowned upon whereas “exploits,” or finding loopholes in the game, are boasted about.
It’s probably fair to say this recent attack wasn’t part of the Wormhole Deployer’s plans or motivations. A mistake in the code was seemingly made, or not found, and solutions are being worked out. It might point to the “fundamental security limits of bridges,” as Ethereum co-creator Vitalik Buterin noted in a prescient blog posting a few weeks ago.
The attacker conducted a series of transactions so that Wormhole “smart contract” confused falsely minted wETH will the real stuff – a full breakdown here. It was a loophole that someone with deep knowledge and a lot of time was able to exploit.
Some people will consider this attack as a contribution to the overall body of knowledge about crypto. Some have even said this process may ultimately lead to “unhackable code,” as every smart contract is a potential “million-dollar bug bounty.”
So, it’s worth asking if the language crypto uses to explain its myriad vulnerabilities (risks stacked on risks) contributes to the ongoing business made out of hacks. Or if sometimes we’re pulling definitions from hats.