The decentralized finance space experienced its first major setback of the year on February 3, when more than $321 million in Ether was stolen from the cross-chain network Wormhole. While this was not the first multi-million dollar DeFi hack this year, it was definitely the largest in a short period of time, and the second largest ever.

The hackers managed to mint 120,000 reviews of Ether (wETH) on Solana, after which they exchanged 93,750 wETH for ETH on the ethereum network. The rest was traded for other small-dollar torrents on the Solana platform.

After promising to recover the lost tokens, the Wormhole team has now revealed that the lost funds have been recovered. And, the platform is running again. It was also mentioned that all users' funds have also been secured. Although, it cannot be redeemed unless further notice is given.

As it turns out, that 120,000 ETH has been replaced by Jump cryptocurrency, a cryptocurrency venture capital firm that owns Certus One, the developer of the Wormhole token bridge.

. @JumpCryptoHQ believes in a multi-chain future where @Wormhole cryptocurrency is an essential infrastructure. That’s why we replaced 120k ETH to make the community membership complete and support Wormhole as it continues to grow.

– Jump Cryptocurrency U0001f9ac (@JumpCryptoHQ) February 3, 2022

One of the biggest DeFi rescues ever got the platform back on its feet quickly. However, the daunting task of recovering 120,000 wETH from the hackers still awaits them. To that end, Wormhole has reached out to miscreants on the chain, offering them a $10 million bounty in exchange for their funds.

The platform has not yet released an incident report on the matter, although many experts have already started working on solving the mystery. The analysts behind Rekt Capital have come up with their own theory that the hackers bypassed the "guardian," the entity that signed the transmission between the Solana wormhole bridge uplinks using the SignatureSet created in the previous transaction.

The hackers were then able to exploit a vulnerability in the network's smart contracts that authorizes the minting of tokens, allowing them to "fraudulently mint 120k wETH on Solana using the VAA authentication created in a previous transaction".

Kelvin Fitcher, developer of the ETH Layer 2 solution Optimism, took to Twitter to provide a more detailed analysis of the incident by retracing the steps of the hacker. According to him, the hackers first deposited 0.1 ETH into Solana and then minted the huge amount of money.

One of the parameters used in this function is the “transfer message”, which is basically a message signed by the guardian stating the token to be cast and the number of tokens:

– Smart Contracts (@kelvinfichter) February 3, 2022

He further explained that the "transfer message" contract is created on Solana by triggering a function called "post_vaa" that checks the validity of the message by checking the guardian's signature. Fitcher said the hacker was able to bypass the verification process by exploiting some discrepancies in the code, adding that

“Using this ‘fake’ system program, the attacker can effectively lie about the fact that the signature checker was executed. The signature is not checked at all. …… The attacker makes it appear as if the guardian has signed a 120k deposit in Solana’s Wormhole, even though they have not. All the attackers need to do now is make it happen by withdrawing their “game” funds to Ether.”

The analysts concluded that the problematic vulnerability would have been fixed by Wormhole unknowingly, and that the exploiters probably had prior knowledge of it and acted quickly before it was fixed.

The attacker may have discovered the change and knew in advance the type of vulnerability enabled by the old feature and was able to quickly assemble the attack.

– Smart Contracts (@kelvinfichter) February 3, 2022