Further down the hole, we go.
Yesterday, hackers stole more than 120,000 ETH, or the equivalent of $323 million, in the second-largest DeFi exploit of all time — and the largest attack-to-date on Solana ( SOL -x%). The attack’s target was Wormhole, a popular bridging platform for blockchains like Avalanche, Ethereum, Solana, and Terra.
This attack exposes real concerns regarding wrapped and bridged assets and is another concern compounding to recent Solana problems.
What Happened?
In short, the devil is in the git commits — and the hackers must have been watching like hawks. The exploit was found on a deprecated validation step on Solana. But how is this possible?
Wormhole’s protocol has a set of “guardians” that essentially verify transfers of assets between chains. Somehow, the guardians verified the hacker’s transfer of ETH from Solana to Ethereum as a legitimate transaction.
This is where things get interesting.
- The attacker found a way to mint fake Wormhole ETH on Solana
- Then made it look as though the guardians approved the deposit
- Finally, they made their “Wormhole ETH” real by withdrawing it back to Ethereum
And like that, Wormhole ETH went to zero, and all the ETH in Solana was backed by nothing — a worst-case scenario that will have broad implications for DeFi.
3 Takeaways to Consider for Tax Preparation and Accounting
1. Bridged and Wrapped assets ≠ L1 assets
Bridging assets across Layer 1 (L1) and Layer 2 (L2) protocols is a foundational component of current DeFi scaling trends. However, a fundamental problem with bridged assets has largely been ignored: Is a bridge asset the same as the original asset?
The answer is no. While it may be tempting to think of a bridged asset as 1 to 1 equivalent, it is not. And the hackers were able to exploit this by minting Wormhole ETH and withdrawing that to real ETH. A more subtle form of this attack could have resulted in small minting actions over the course of longer periods, gradually causing the Solana balance to drift from the Ethereum locked balance.
Takeaway: Bridged and wrapped assets have a different risk models than L1s, and that maybe impact their tax and accounting treatments. In an ideal world, bridging would work as a transfer between wallets, so the cost basis would not have to be re-established. However, it is not that simple, and you probably need to talk to as professional.
2. These are Novel Attack Vectors
Crypto assets are marked by novelty — and the Wormhole hack is a novel failure in the market system. “Normal” crypto hacks like the recent Bored Ape Yacht Club NFT theft only impact a select group of people. But the Wormhole attack affected all holders of Wormhole ETH when the bridged asset went to zero and became worthless.
This threatens the entire DeFi system — investors in Solana Wormhole ETH liquidity pools were probably exposed to arbitragers who could exchanged worthless Wormhole ETH for other Solana assets. This then has a contagion effect where even modest exposure to the hacked asset results in substantial monetary loss across different markets.
3. Ethereum wins the day
Solana is already down close to 40% from all-time highs — and the wormhole attack will only make matters worse. Patrick White, Co-founder, and CEO of Bitwave, predicts that the impact on the price action of ETH will be positive. “The exchanges will quickly move to block off the stolen ETH, so we’re effectively looking at a decrease in the ETH supply,” says Patrick.
The Wormhole attack demonstrates that DeFi is still in its infancy — and security in its infrastructure still has a long way to go. While it was reported the hack loss was fully covered by a crypto VC friendly to Solana, the impacts of this attack will continue to affect the space. “Beyond everything else, showing people the risk of bridging between protocols is a major positive for the upcoming ETH 2.0 launch.”
Disclaimer: The information provided in this blog post is for general informational purposes only and should not be construed as tax, accounting, or financial advice. The content is not intended to address the specific needs of any individual or organization, and readers are encouraged to consult with a qualified tax, accounting, or financial professional before making any decisions based on the information provided. The author and the publisher of this blog post disclaim any liability, loss, or risk incurred as a consequence, directly or indirectly, of the use or application of any of the contents herein.