Wormhole Hacker

Jump Crypto & Oasis.app counter exploits Wormhole hacker for $225M

The counter exploit came after the High Court of England and Wales ordered Oasis.app to work with Jump Crypto to retrieve the stolen funds.

Web3 infrastructure firm Jump Crypto and decentralized finance (DeFi) platform Oasis.app have conducted a “counter exploit” on the Wormhole protocol hacker, with the duo managing to claw back $225 million worth of digital assets and transfer them to a safe wallet.

The Wormhole attack occurred in February 2022 and saw roughly $321 million worth of Wrapped ETH (wETH) siphoned via a vulnerability in the protocol’s token bridge.

The hacker has since shifted around the stolen funds through various Ethereum-based decentralized applications (dApps), and via Oasis, they recently opened up a Wrapped Staked ETH (wstETH) vault on Jan. 23, and a Rocket Pool ETH (rETH) vault on Feb. 11.

In a Feb. 24 blog post, the Oasis.app team confirmed that a counter exploit had taken place, outlining that it had “received an order from the High Court of England and Wales” to retrieve certain assets that related to the “address associated with the Wormhole Exploit.”

The team stated that the retrieval was initiated via “the Oasis Multisig and a court-authorized third party,” which was identified as being Jump Crypto in a preceding report from Blockworks Research.

Transaction history of both vaults indicates that 120,695 wsETH and 3,213 rETH were moved by Oasis on Feb. 21 and placed in wallets under Jump Crypto’s control. The hacker also had around $78 million worth of debt in MakerDao’s DAI stablecoin that was retrieved.

“We can also confirm the assets were immediately passed onto a wallet controlled by the authorized third party, as required by the court order. We retain no control or access to these assets,” the blog post reads.

*@spreekaway tweet on the counter exploit: Twitter*

Referencing the negative implications of Oasis being able to retrieve crypto assets from its user vaults, the team emphasized that it was “only possible due to a previously unknown vulnerability in the design of the admin multisig access.”

The post stated that such a vulnerability was highlighted by white hat hackers earlier this month.

“We stress that this access was there with the sole intention to protect user assets in the event of any potential attack, and would have allowed us to move quickly to patch any vulnerability disclosed to us. It should be noted that at no point, in the past or present, have user assets been at risk of being accessed by any unauthorized party.”

pic.twitter.com/NX1fclJs5V

— foobar (@0xfoobar) February 24, 2023

Jump Crypto and Oasis.app ‘counter exploits’ Wormhole hacker for $225M

The asset retrieval came after the High Court of England and Wales ordered Oasis.app to work with Jump Crypto to recover the stolen funds.

Web3 infrastructure firm Jump Crypto and decentralized finance (DeFi) platform Oasis.app have conducted a “counter exploit” on the Wormhole protocol hacker, with the duo clawing back $225 million of digital assets and transferring them to a safe wallet.

The Wormhole attack occurred in February 2022, with roughly $321 million worth of wrapped ETH (wETH) exploited via a vulnerability in the protocol’s token bridge.

The hacker has since moved the stolen funds through various Ethereum-based decentralized applications (DApps), such as Oasis, which recently opened up wrapped stETH (wstETH) and Rocket Pool ETH (RETH) vaults.

In a Feb. 24 blog post, the Oasis.app team confirmed that a counter exploit had taken place, outlining that it had “received an order from the High Court of England and Wales” to retrieve certain assets related to the “address associated with the Wormhole Exploit.”

The team stated that the retrieval was initiated via “the Oasis Multisig and a court-authorized third party,” which was identified as Jump Crypto in a preceding report from Blockworks Research.

Both vaults’ transaction history indicates that Oasis moved 120,695 wsETH and 3,213 rETH on Feb. 21 and placed in wallets under Jump Crypto’s control. The hacker also had around $78 million debt in MakerDAO’s Dai (DAI) stablecoin, which was retrieved.

*@spreekaway tweet on the counter exploit. Source: Twitter*

The post stated that such a vulnerability was highlighted by white hat hackers earlier this month.

pic.twitter.com/NX1fclJs5V

— foobar (@0xfoobar) February 24, 2023

Wormhole hacker moves $155M in biggest shift of stolen funds in months

Blockchain transaction history shows that the hacker transferred the funds onto a DEX and then went on to cycle funds around different DeFi protocols.

The hacker behind the $321 million Wormhole bridge attack has shifted a large chunk of stolen funds, with transaction data showing that $155 million worth of Ether (ETH) was transferred to a decentralized exchange (DEX) on Jan 23.

The Wormhole hack was the third largest crypto hack in 2022, after the protocol’s token bridge suffered an exploit on Feb. 2 that resulted in the loss of 120,000 Wrapped ETH (wETH), worth around worth $321 million.

According to the transaction history of the hacker’s alleged wallet address, the latest activity shows that 95,630 ETH was sent to the OpenOcean DEX and then subsequently converted into ETH-pegged assets such as Lido Finance’s staked ETH (stETH) and wrapped staked ETH (wstETH).

#CertiKSkynetAlert

We are seeing address 0x629e… Wormhole Network Exploiter swap 95,630 Ether (~$155M) to stETH

Stay safe! pic.twitter.com/ZR6zxlRuKX

— CertiK Alert (@CertiKAlert) January 23, 2023

Digging into the transaction history further, crypto community members such as Spreekaway also highlighted that the hacker went on to conduct a slew of odd-looking transactions.

For example, the hacker used their stETH holdings as collateral to borrow 13 million worth of the DAI stablecoin, before swapping it out for more stETH, wrapping it into stETH again and then borrowing some more DAI.

Wormhole exploiter has converted his ETH to wstETH and is going to borrow DAI against it it seems. pic.twitter.com/9rhERSMG5u

— Spreek (@spreekaway) January 23, 2023

Notably, the Wormhole team has taken the opportunity to once again offer the hacker a bounty of $10 million if they return all the funds, leaving an embedded message conveying such in a transaction.

The hacker’s hefty ETH transaction appears to have had a direct impact on the price of stETH according to data from Dune Analytics. The asset’s price went from slightly under peg of 0.9962 ETH on Jan. 23, to as high as 1.0002 ETH the following day, before dropping back to 0.9981 at the time of writing.

With the Wormhole hack likely to catch more attention in light of the latest incident, blockchain security firms such as Ancilia Inc. warned on Jan. 19 that searching keywords “Wormhole Bridge” in Google is currently showing promoted ad websites that are actually phishing operations.

The community has been warned to be diligent on what they are clicking on relating to this term.

#phishing alert When you search “wormhole bridge” in Google, many of the “ad” entries are actually phishing site. E.g.
hxxps://wormholebridge-multichain.com/
hxxps://portaltoken-wormholebridge.com. Be careful about what you click and stay safe! pic.twitter.com/C6JW2xeaUh

— Ancilia, Inc. (@AnciliaInc) January 19, 2023