A 326 Million Dollar Smart Contract Bug

2 minute read | Last updated 2-Feb-2022 |  Security, Risk, Ship30for30

Another hack. Another setback for Web3. Another code quality issue costs millions.

What Happened

Wormhole is a service that helps you move value from one blockchain to another. So if you want to take 1 SOL from the Solana blockchain to the Ethereum blockchain, Wormhole will help make that happen.

The way it does this is through smart contracts.

A smart contract on one blockchain makes sure you have the funds and then holds them. On the destination blockchain, another smart contract buys the necessary funds and transfers them to the purchaser.

Conceptually, this is very straightforward.

Code Quality vs. Hacker

Smart contracts are code. Code almost always has bugs.

If a malicious actor finds those bugs before the developer does, bad things usually happen.

That’s exactly what happened to Qubit Finance recently. And that’s exactly what just happened to Wormhole.

A malicious actor found the bug in the smart contract system Wormhole uses and leverage that bug to steal cryptocurrency on three different blockchains worth an estimated total of $326 million dollars.

Test, Test, Test

What happened to Qubit Finance and Wormhole was unfortunate and it was wrong. In both cases, it appears that the actions were malicious and ill-intentioned.

Both of these cases highlight the need for extremely details and rigorous testing of the code that runs smart contracts.

Developers working in Web3 and specifically in the DeFi (Decentralized Finance) areas need to understand the risk that error in the code pose.

It’s one thing if a video game you write has a bug in it. The consequences are usually a bit of player frustration that goes away when you fix the bug.

If the Web3 world, a bug can cost you millions.