Wormhole: $320M Stolen, Then Counter-Exploited Back

120,000 ETH minted from thin air. Jump Crypto bailed it out the next day. Then they hacked the hacker to get it back.

Wormhole bridge exploit

Wormhole was one of the biggest bridges connecting Solana to Ethereum. On February 2, 2022, someone found a bug in its signature verification system and used it to mint 120,000 wETH out of thin air. That is $320 million in Ethereum, created from nothing.

The vulnerability was in how Wormhole verified guardian signatures on the Solana side. The attacker figured out a way to bypass the verification process entirely, tricking the bridge into believing a legitimate set of guardians had approved a massive deposit that never happened. Elliptic described it as a "failure to validate guardian accounts." The attacker then redeemed the fake deposit on the Ethereum side for real ETH.

The attacker moved fast. Within hours, they swapped a chunk of the stolen wETH for regular ETH on the Ethereum mainnet, making it much harder to freeze. Wormhole offered a $10 million bug bounty and a white hat agreement in exchange for returning the funds. The hacker ignored it.

Jump Crypto, a major Chicago-based trading firm and investor in Wormhole, stepped in the next day and replaced the entire $320 million from their own pocket. No bankruptcy. No decade of creditor lawsuits. Just a massive check from a backer with deep enough pockets to absorb a nine-figure loss. Wormhole was back online within 24 hours.

The story should have ended there. It did not. The hacker parked the stolen funds in DeFi protocols, opening leveraged positions through Oasis.app vaults. They created a Wrapped Staked ETH vault in January 2023 and a Rocket Pool ETH vault in February 2023, accumulating $78 million in DAI debt against the stolen collateral.

That was their mistake. On February 21, 2023, Jump Crypto obtained an order from the High Court of England and Wales authorizing the retrieval of the stolen assets. Working with Oasis, they executed what the community called a "counter-exploit" - using Oasis's own multisig upgrade capability to move 120,695 wstETH and 3,213 rETH from the hacker's vaults directly to wallets under Jump's control. They also recovered the $78 million in DAI debt. Total recovery: approximately $225 million.

Jump Crypto hacked the hacker. With a court order. The ethics of exploiting a DeFi protocol's upgrade mechanism to seize funds - even stolen funds - sparked intense debate. Oasis confirmed they acted under court order. The community was split between applause and alarm. If the good guys can use upgradeable contracts to seize assets, so can the bad guys. So can governments.

The Wormhole hack proved three things. Bridges are the weakest link in DeFi. Having a billionaire backer solves the immediate crisis but not the underlying vulnerability. And if you steal $320 million and then deposit it into a DeFi protocol with an upgradeable multisig, you deserve what happens next.