The developers reported that they patched the vulnerability and sent "additional ETH" to the pool to provide liquidity support. The team shut down access to the service while the incident was being investigated.
CertiK explained that Wormhole smart contracts did not fulfill absolute validation of the input data, and that allowed to initiate transactions with incorrect variables. Thanks to this vulnerability, hackers were able to lead wETH to their address.
Security analyst Paradigm, under the nickname samczsun noted that the project team contacted the hackers’ address on the Ethereum network. The developers offered to return the assets for a $10 million reward.
He also confirmed that the vulnerability is related to the verification of input data by the cross-chain bridge protocol. According to the analyst, the exploit allowed entirely bypass signature verification.
As a reminder, in January 2022, Ethereum founder Vitalik Buterin called cross-chain bridges vulnerable due to asset security issues.