$400 Million may seem like a lot of money for us mere mortals but that is exactly how much was stolen in DeFi hacks just this week! In case you missed the news, Wormhole lost $320M in a single exploit and just one day after that Qbit Finance got drained for $80 Million.

Could these two hacks alone shake up the cross-chain narrative DeFi has been pushing for a while now? Let's have a look.

What Happened?

I will not go in-depth with these two exploits but the Wormhole incident is more than interesting. For those that don't know, Wormhole is a very popular Solana bridge, and when bridges get exploited things can get wild.

For example, Wormhole lost about 120K Ethereum. The attacker was able to fool the bridge that they are indeed sending WETH from Solana and ended up minding "clean" ETH on Ethereum. If this was taken out of a liquidity pool it wouldn't be a big deal but since all of this ETH was supposed to backing 120k WETH on Solana, all WETH on SOL was technically worth zero after the exploit.

If you can't exchange your Solana WETH for real Etehreum then it theoretically has no value on Solana as well. This caused massive panic on the chain, people were borrowing ETH on lending platforms in anticipation that it will inevitably collapse once news breaks out but a twist of peculiar events unfolded and the stolen funds were replenished very quickly.

A bit too quickly if you ask me.

Less than 24 hours after the incident the Wormhole team restored the funds leaving everyone with all sorts of questions.

• How did this even happen?

• How can you scramble $320M like it is pocket change in such a short time period?

• What if the same happens again and no one puts up the money to cover for the losses? Will all WETH on Solana really be worthless?

All valid questions with seemingly no answer in sight. The team isn't giving away much information and crypto Twitter is speculating on many different theories including the involvement of Sam Bankman-Fried, CEO of FTX and creator of Solana, in the restored funds.

Cross-Chain vs Multi-Chain

Ironically enough, Vitalik Buterin commented on the flaws of a cross-chain approach and explained why it won't be a part of DeFi future, just a few weeks before major exploits started happening.

The problem with cross-chain bridging is that you don't really send tokens to other chains in the process. In this particular case, if you send ETH to Solana via a bridge you aren't getting the same token on the other end. Your ETH will be sitting in a contract waiting for you to pick it up on the way out and what you get is a receipt stating that there is ETH waiting for you at the exit.

If you sell that ETH on Solana you are actually selling the receipt to someone else. A perfectly simple solution to many problems DeFi brings but if too much ETH or BTC is sitting in one contract exploiting it would have catastrophic consequences.

What if it was 2M ETH tokens and not only 120K?

If the attacker never returned the funds and no one wanted to cover for the loss every ETH holder on Solana would be holding a worthless token that has absolutely no intrinsic value. It would be a race to sell your WETH for more than $0.

The sad part is that this situation doesn't only depend on the security of the contract. Here is a quote from Vitalik that illustrates a different scenario.

Now, imagine what happens if you move 100 ETH onto a bridge on Solana to get 100 Solana-WETH, and then Ethereum gets 51% attacked. The attacker deposited a bunch of their own ETH into Solana-WETH and then reverted that transaction on the Ethereum side as soon as the Solana side confirmed it. The Solana-WETH contract is now no longer fully backed, and perhaps your 100 Solana-WETH is now only worth 60 ETH. Even if there’s a perfect ZK-SNARK-based bridge that fully validates consensus, it’s still vulnerable to theft through 51% attacks like this.

For years we have criticized Tradfi systems that have a single point of failure only to end up building one ourselves. Luckily, atomic swaps and cross-chain liquidity may be a very elegant solution to this problem that is currently brute-forced into acceptance.

In the future, we’ll have both multi-chain ecosystem networks like Polkadot and Cosmos where chains rely upon a shared security mechanism as well as cross-chain bridges like AtomicDEX that connect blockchains ecosystems that would otherwise be siloed. This will likely mean that DEXs and bridging solutions will reach mass adoption.

This Is Where The Fun Stops

As DeFi continues to grow we will surely have more and more incidents like these. Contracts are written by humans and you can't make humans error-proof. Considering how young crypto and DeFi really are it is arrogant to assume that we will just magically start writing full-proof contracts that are unexploitable by design. It can't happen and it won't happen any time soon.

We are still at a stage where individuals or small groups perform these exploits and attacks but what happens when we start seeing blockchain wars? Binance didn't think twice when they helped Justin Sun take over Steemit governance by force, why would anyone think that they won't do the same if Solana or Avalanche start taking their userbase away from them?

As the great George Carlin would say, it's a big club and you ain't in it. Act accordingly and trust no one. Especially if they have a lot of disposable crypto.