Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Back to all case studies
Bridge Exploit
2022-02-02120,000 wETH (~$325M at the time)

Wormhole Bridge Exploit

February 2022 — $325M drained from Wormhole's Solana–Ethereum bridge via a signature-verification bug. Jump Crypto immediately backstopped the loss.

Wormhole was, in early 2022, the dominant bridge connecting Solana to Ethereum (and several other chains). It enabled assets on one chain to be locked in custody while equivalent 'wrapped' tokens were minted on the destination chain. The bridge held substantial pooled assets — at the time of the exploit, it custodied over $1 billion in user funds across multiple chains.

On February 2, 2022, an attacker exploited a signature-verification flaw in Wormhole's Solana-side smart contract to mint 120,000 wrapped ETH (wETH) on Solana without depositing the corresponding ETH on the Ethereum side. The minted wETH was worth approximately $325 million at the time. The attacker bridged most of the wETH to Ethereum and sold portions; the rest was eventually recovered via negotiated settlement.

Within 16 hours of the exploit, Jump Crypto (a major market maker and Wormhole's largest backer) committed $325 million from its own treasury to replenish the bridge's Ethereum-side reserves and preserve the 1:1 backing of all wrapped tokens. This intervention prevented contagion to the broader Solana DeFi ecosystem, which had hundreds of millions of dollars of positions denominated in Wormhole-wrapped assets.

Timeline

  1. 2021-10
    Wormhole rebrands from 'Solana Wormhole' to a multi-chain bridge supporting Solana, Ethereum, BSC, Polygon, Terra, Avalanche, Oasis, and Fantom.
  2. 2022-01-13
    Solana SDK update introduces new signature verification functions; old functions are deprecated.
  3. 2022-02-02 18:23 UTC
    Attacker submits a forged guardian signature transaction to the Solana-side Wormhole contract.
  4. 2022-02-02 18:24 UTC
    Solana contract accepts the forged signature; mints 120,000 wETH to the attacker's address.
  5. 2022-02-02 18:28 UTC
    Attacker begins bridging the minted wETH from Solana to Ethereum.
  6. 2022-02-02 ~19:00 UTC
    Wormhole team detects the exploit. Bridge is paused.
  7. 2022-02-02 21:30 UTC
    Wormhole publicly discloses the exploit. Offers attacker a $10M whitehat bounty for return of funds (declined).
  8. 2022-02-03 ~10:00 UTC
    Jump Crypto announces it will replenish the missing 120,000 ETH from its treasury to restore the bridge.
  9. 2022-02-03
    Wormhole patches the vulnerability; bridge resumes operation.
  10. 2024-02
    Two-year anniversary; portion of stolen funds remain dormant in attacker-controlled wallets; remainder partially recovered through whitehat negotiation and exchange cooperation.

Mechanism

The bridge architecture. Wormhole used a guardian-network model. A set of 19 (originally) 'guardian' nodes signed attestations about events on each connected chain. To mint a wrapped token on chain B in exchange for a deposit on chain A, a transaction on chain B's Wormhole contract had to present signed attestations from a supermajority of guardians proving the deposit had occurred. The Solana-side contract verified these signatures against the guardian public keys.

The signature verification flaw. The Solana smart contract used Solana's `Secp256k1` signature verification system. In January 2022, Solana introduced a newer signature verification function (with stronger semantics) and deprecated the older one. Wormhole's Solana contract continued to use the older deprecated function. Crucially, the older function did not verify that the signature verification *instruction* in the Solana transaction actually corresponded to the guardian-set check the Wormhole contract expected — it only verified that *some* signature verification had occurred. An attacker could construct a transaction that included a signature verification instruction for a different message, and the Wormhole contract would accept it as if it had verified the guardian-attestation message.

The exploit transaction. The attacker submitted a transaction that (a) included a `Secp256k1` verification instruction validating a forged guardian-signature message, and (b) called Wormhole's mint function citing the now-'verified' message. The deprecated verification function returned success because *some* signature had verified. Wormhole's mint logic accepted this as authorisation and minted 120,000 wETH to the attacker's specified address. The attack required deep familiarity with both Solana's signature verification semantics and Wormhole's contract architecture.

The bridge-to-Ethereum step. Once the 120,000 wETH was minted on Solana, the attacker used Wormhole's own bridge mechanism (functioning correctly for this step) to move 93,750 wETH back to Ethereum, where it could be sold for stables or other assets. Approximately 26,250 wETH was retained on Solana and used to acquire other assets in the Solana DeFi ecosystem.

Why Jump Crypto intervened. Jump Crypto was Wormhole's largest external backer and a major Solana-ecosystem market maker. The economic stakes were substantial: if the 120,000 wETH theft remained unfunded, every Wormhole-wrapped ETH on Solana (which traded as if 1:1 backed) would have been under-collateralised, and the Solana DeFi protocols holding these wETH positions would have faced an immediate run. Jump's intervention preserved the 1:1 backing, prevented contagion, and maintained Wormhole's operational continuity — at a direct cost of $325 million to Jump's treasury.

Impact

The Wormhole exploit reframed how the industry thought about bridge security and bridge-backer responsibility. Jump Crypto's intervention established a precedent — that major bridge backers might (but are not obligated to) make whole user losses from exploits. This precedent was widely understood as conditional: bridges with prominent institutional backers might be backstopped, while bridges without were not. Technically, the exploit drove home that custom signature-verification logic on rapidly-evolving chains carries unusual risk: Solana's deprecated verification function would have been replaced with the safer alternative in normal protocol maintenance, but Wormhole hadn't migrated. The pattern recurred in subsequent exploits where contracts continued to use deprecated chain primitives. Wormhole subsequently increased its guardian set, upgraded its signature verification, and underwent multiple additional audits.

Operational lessons

  1. 1Custom signature verification is high-risk surface. When a smart contract implements its own signature verification (instead of using well-tested standard libraries or chain-native primitives), it inherits all the subtle semantics of the underlying cryptographic primitives. Bridges that custom-verify guardian signatures, validator signatures, or cross-chain proofs are particularly exposed.
  2. 2Deprecated chain functions are exploit surface. When a blockchain deprecates a function in favour of a safer alternative, the deprecated function often retains less-safe semantics for backward compatibility. Contracts that continue to use deprecated functions are operating with security properties that may have changed.
  3. 3Bridge backers are not guaranteed to make users whole. Jump Crypto's $325M intervention was extraordinary, not standard practice. Users of bridges without prominent institutional backers (Nomad, Multichain) experienced very different outcomes when those bridges were exploited. The Wormhole precedent should not be over-generalised.
  4. 4Detection at the contract level matters. Wormhole detected the exploit within ~30 minutes of the unauthorised mint — fast enough to pause the bridge and prevent further damage. The detection was reportedly possible because the attacker's transaction created an anomalous balance state in the bridge's reserve accounting. Contracts holding pooled value should include accounting checks that fire alerts when invariants are violated.
  5. 5Audits don't catch all signature-verification bugs. Wormhole had been audited multiple times. The exploit succeeded because the auditors hadn't caught the specific semantics of the deprecated Solana function vs. how Wormhole used it. Multi-firm audits reduce risk but don't eliminate it; complex cross-chain signature-verification logic is unusually difficult to audit comprehensively.

Aftermath

Jump Crypto's intervention made affected users completely whole, the patched bridge resumed operation within 24 hours of the exploit, and Wormhole has not experienced a similar exploit since. The attacker retained substantial assets on Solana that they laundered through multiple DeFi positions; some funds were recovered through whitehat negotiation and cooperation from exchanges, but a meaningful fraction remains in attacker-controlled wallets. Wormhole subsequently expanded its guardian set, migrated to safer signature verification primitives, and underwent additional audits. The bridge has continued to operate at substantial scale through 2024–2026. Jump Crypto's intervention itself drew industry attention as both a stabilising action and an unusual concentration of risk — a single market maker absorbing a $325M shortfall is not a sustainable model for bridge security at industry scale.

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Related on Block Clarity Hub

DeFi Safety L6 — Bridges revisited
Bridges and cross-chain risk
Bridge Safety Guide
Spotted an error? Report it on GitHubour correction policy