Skip to main content
Sign in

Wormhole

avoid.net/wormhole42/100·87% conf.
[AI-DRAFTED · AWAITING VERIFICATION]

Summary

Wormhole is a cross-chain messaging and token bridge protocol enabling interoperability across more than 30 blockchain networks, originally developed by Certus One and later backed by Jump Crypto. On February 2, 2022, Wormhole suffered a $326 million exploit — the largest hack in Solana ecosystem history at the time — when an attacker exploited a deprecated Solana function to forge guardian signatures and mint 120,000 wETH without locking any collateral. Jump Crypto immediately replenished the stolen funds to keep users whole, and the project subsequently raised $225 million at a $2.5 billion valuation, separated from Jump Trading as an independent entity, and launched the W governance token in April 2024; as of 2026, the stolen funds remain substantially unrecovered despite a partial $140 million counter-exploit via English court order.

Have evidence about Wormhole?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Protocol Overview

Wormhole is a generic cross-chain messaging protocol that enables the transfer of arbitrary data and token value across a growing set of blockchains. As of 2025, Wormhole supports more than 30 networks including Ethereum, Solana, BNB Chain, Polygon, Avalanche, Arbitrum, Optimism, Base, Fantom, Aptos, and others. The protocol was originally developed by Certus One, which was acquired by Jump Trading in August 2021, bringing Wormhole under Jump Crypto's stewardship. Wormhole's core architecture relies on a decentralized set of 19 validator nodes called Guardians. Each Guardian independently observes messages emitted by Wormhole's on-chain smart contracts across all supported chains. When a supermajority of 13 out of 19 Guardians cryptographically sign the same message, the network produces a Validator Action Approval (VAA), which functions as a proof enabling message delivery and asset minting on the destination chain. This guardian-based proof-of-authority model differs from fully trustless bridge designs and was the source of the 2022 exploit vulnerability. Beyond token bridging, Wormhole positions itself as a cross-chain messaging layer, with products including Native Token Transfers (NTT), which allows token issuers to maintain native token supply across chains without liquidity pools, and a Connect SDK for integrating cross-chain functionality into decentralized applications.

Sources

February 2022 Exploit — $326 Million Signature Verification Bypass

On February 2, 2022, an unknown attacker exploited a critical vulnerability in Wormhole's Solana smart contracts, minting 120,000 wrapped ETH (wETH) on Solana without depositing any corresponding ETH collateral on Ethereum. At prevailing prices, the stolen assets were valued at approximately $326 million, making it the largest hack in Solana ecosystem history at the time. The attack was technically rooted in Wormhole's reliance on a deprecated Solana standard library function called load_instruction_at. The signature verification flow in Wormhole's post_vaa instruction delegated responsibility through a chain: post_vaa called verify_signatures, which in turn called the Solana Secp256k1 program. The deprecated load_instruction_at function was used to confirm that a Secp256k1 verification instruction had been included in the transaction — but critically, this function does not validate whether the account it reads from is the real Solana Instructions sysvar. The attacker exploited this gap by constructing a fake sysvar account pre-loaded with data that made it appear as though a valid Secp256k1 call had been made. This forged account was accepted by the deprecated function, producing a valid SignatureSet without any legitimate guardian signatures. The attacker then used this fraudulent SignatureSet to call complete_wrapped and mint 120,000 wETH on Solana. After minting the wETH on Solana, the attacker bridged 93,750 wETH back across to Ethereum and redeemed it for native ETH, transferring it to Ethereum address 0x629e7da20197a5429d30da36e77d06cdf796b71a. The remaining approximately 26,250 wETH equivalent was initially held in a Solana wallet at address CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka. On-chain data also shows the attacker received 0.94 ETH from Tornado Cash prior to the attack, likely to cover transaction fees. Wormhole posted a message during the incident offering a $10 million bug bounty to the attacker in exchange for returning the funds and providing exploit details; the attacker did not respond.

Sources

Jump Crypto Bailout and Fund Recovery Attempts

Within approximately 24 hours of the exploit, Jump Crypto — the crypto arm of Chicago-based trading firm Jump Trading — announced it had deposited 120,000 ETH directly into the Wormhole bridge, fully replenishing the stolen collateral. Jump Crypto publicly stated it 'believes in a multichain future and that Wormhole is essential infrastructure' and confirmed it 'replaced 120K ETH to make community members whole.' This was widely described as the largest DeFi bailout in history at that time. Jump Trading had acquired Certus One, the original Wormhole development team, in August 2021, giving it a direct financial stake in the protocol's survival. On February 21, 2023, the English High Court of England and Wales issued an injunction ordering Oasis, a decentralized finance platform operated by MakerDAO ecosystem participants, to take steps to seize assets associated with the Wormhole exploit address. Oasis disclosed that it executed the court order by exploiting a previously undisclosed vulnerability in the design of its own admin multisig, allowing it to gain control over the exploiter's DeFi vaults on the platform. The operation — coordinated with Jump Crypto as the authorized third party under the court order — resulted in the recovery of approximately $140 million in assets (net of repaid DAI collateral debt). The assets were immediately transferred to a wallet controlled by the court-authorized third party. The Oasis counter-exploit drew significant commentary in the crypto community regarding the implications for DeFi's 'immutability' guarantees, as Oasis was able to unilaterally access user vaults under judicial order. The exploiter filed a counter-claim in the proceedings, and further legal activity was reported in New York courts in 2024, where a judgment was obtained declaring the stolen assets victims had a proprietary right and interest in the stolen funds.

Sources

On-Chain Addresses and Stolen Fund Movements

The following on-chain addresses have been publicly identified in connection with the February 2022 exploit: - Primary Ethereum exploiter address: 0x629e7da20197a5429d30da36e77d06cdf796b71a (labeled 'Wormhole Network Exploiter' on Etherscan) - Primary Solana exploiter address: CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka - Intermediate Ethereum address used during laundering: 0x8184ef7a6e54c72f56577a45adc5aed68037af51 - Final Ethereum destination address: 0xe3174149f80d1ea429970ec5043e361bc003ddbd The stolen funds remained dormant on-chain for nearly one year. On January 14, 2023, the exploiter's accounts on both Ethereum and Solana became active within approximately one hour of each other. On Solana, approximately 202,651 SOL and 2,683,305 USDCet were moved to new accounts and bridged to Ethereum. On January 23, 2023, additional activity occurred in which 95,630 ETH was sent to decentralized exchanges including OpenOcean and 1inch and converted into liquid staking tokens: Lido Finance's stETH and wrapped stETH (wstETH). The exploiter then used approximately 25,000 wstETH as collateral on MakerDAO to borrow approximately 14.5 million DAI, and cycled borrowed funds back into additional stETH purchases — a recursive collateralization strategy designed to obscure fund provenance through DeFi protocol interactions. As of the Elliptic report in early 2023, the exploiter held approximately 71,407 wstETH, making them the third-largest holder of wstETH on Ethereum at the time. A portion of these assets was subsequently seized via the Oasis court-ordered counter-exploit in February 2023. The remaining unrecovered funds continue to be tracked by blockchain analytics firms.

Sources

Regulatory and Legal Aftermath

No direct criminal charges or regulatory enforcement actions have been publicly identified against Wormhole or Wormhole Labs itself as of mid-2026. The legal proceedings related to the hack have been primarily civil in nature. On February 21, 2023, the High Court of England and Wales issued an injunction directed at Oasis (oasis.app) ordering the retrieval of assets tied to the Wormhole exploit wallet. This order was carried out using Oasis's admin multisig in coordination with a court-authorized third party, recovering approximately $140 million net. Separately, in March 2024, a New York court issued a judgment declaring that victims of the Wormhole hack hold a proprietary interest in the stolen assets, a ruling that could support future recovery efforts. Jump Crypto, the entity that backstopped the hack losses and was Wormhole's parent organization at the time, subsequently faced separate regulatory scrutiny. In June 2024, Fortune reported that the U.S. Commodity Futures Trading Commission (CFTC) had launched an investigation into Jump Crypto. Jump Crypto President Kanav Kariya resigned shortly thereafter. Additionally, in December 2024, the SEC charged Jump Crypto's offshore entity, Tai Mo Shan Limited, with misleading investors about the stability of Terraform Labs' UST stablecoin and engaging in unregistered securities dealings in LUNA tokens; Jump agreed to settle for approximately $123 million. These regulatory actions against Jump were related to the Terra/LUNA collapse, not the Wormhole hack directly, but reflect broader regulatory scrutiny of the firm that underwrote Wormhole's losses.

Sources

Security Improvements and Post-Hack Rebuilding

Following the exploit, Wormhole patched the immediate vulnerability by replacing the deprecated load_instruction_at function with the properly validated current_instruction_at equivalent, which correctly verifies the Instructions sysvar address. The bridge relaunched after the patch and Jump Crypto's fund replenishment. In subsequent years, Wormhole implemented a layered security architecture. The Guardian Network was supplemented by two additional on-chain security mechanisms: the Global Accountant, which performs integrity checks on every token transfer to ensure that no chain can have more tokens minted or burned than were ever deposited, enforced by all 19 Guardians; and the Governor, which monitors and rate-limits asset outflows per chain per time period to contain the blast radius of any future exploit. As of 2024, Wormhole reported completing 29 third-party security audits. The protocol also operates one of the larger bug bounty programs in the DeFi space through Immunefi, with a maximum payout of $5 million. Google Cloud was added as one of the 19 Guardian node operators, providing additional infrastructure redundancy. Wormhole has also announced development of zero-knowledge proof-based verification mechanisms as a longer-term architectural improvement. In July 2023, TechCrunch reported on Wormhole's security improvements and rebuilding efforts, noting the protocol's attempt to move beyond the reputational damage of the hack.

Sources

Independence from Jump Trading and $225M Fundraise

In mid-2023, the Wormhole team began operating independently of Jump Trading. The team formally incorporated as Wormhole Labs in May 2023, with approximately 15 staff, most from Jump Crypto, departing the firm in August 2023 to focus solely on the protocol. CEO Saeed Badreg and COO Anthony Ramirez left Jump Trading to lead Wormhole as an independent entity. Bloomberg first reported the separation in November 2023. Also in November 2023, Wormhole announced a $225 million funding round at a $2.5 billion valuation — the largest crypto fundraise of 2023 by deal size. Investors included Brevan Howard, Coinbase Ventures, Multicoin Capital, ParaFi Capital, Dialectic, Borderless Capital, Arrington Capital, and Jump Trading (retaining a stake). The investment was structured as token warrants rather than equity, with investors receiving rights to a portion of the yet-to-be-launched W token supply.

Sources

W Token Launch and Governance

In March 2024, Wormhole announced plans to distribute 617 million W tokens — representing 6.17% of a total supply of 10 billion — to past protocol users in an airdrop. The W token launched on April 3, 2024, with listings on Binance, Bybit, Bitget, OKX, Backpack, and Gate.io. W debuted at approximately $1.66 and the total protocol valuation at launch was approximately $3 billion fully diluted. Under the initial tokenomics, 82% of the total W supply was locked at launch with a four-year vesting schedule. Allocations included 5.1% to the Guardian Network (vested), 17% to the community (11% unlocked at TGE for the airdrop and early programs), and 11.6% to strategic network participants. The token is intended to power governance of the Wormhole DAO, with token holders eventually gaining voting rights over protocol parameters and treasury management. In September 2025, Wormhole announced a W 2.0 tokenomics upgrade introducing a 4% targeted base yield on W, a Wormhole Reserve mechanism, and a shift from annual token unlock cliffs to bi-weekly unlock schedules.

Sources

Cross-Chain Bridge Security Context

The Wormhole exploit occurred within a broader pattern of cross-chain bridge vulnerabilities that made 2022 the most destructive year for bridge hacks in DeFi history, with over $1.3 billion stolen across multiple protocols. The Ronin Bridge (Axie Infinity) was hacked for approximately $625 million in March 2022 when attackers compromised private keys of five out of nine validator nodes through a spear-phishing campaign, gaining the threshold needed to authorize fraudulent withdrawals. The Harmony Horizon Bridge was exploited for approximately $100 million in June 2022 through compromise of a 2-of-5 multisig setup. The Nomad Bridge lost approximately $190 million in August 2022 when a smart contract upgrade introduced a bug allowing any user to forge transfer proofs, triggering a chaotic free-for-all in which roughly 80% of losses were caused by copycat exploiters after the original attacker. Security researchers have categorized cross-chain bridge vulnerabilities into two broad types: smart contract logic flaws (as in Wormhole and Nomad) and compromised private keys or validator credentials (as in Ronin and Harmony). Chainlink has identified seven distinct vulnerability categories for bridge protocols. Reports from CertiK and other security firms have noted that cross-chain bridges represent high-value targets because they hold large pools of locked assets on one chain while minting equivalent representations on another, creating a systemic risk amplifier for the DeFi ecosystem. The Wormhole hack is also referenced as historical context in analyses of subsequent Solana ecosystem exploits. The Drift Protocol exploit of April 2026, which involved losses of approximately $285 million, became the second-largest Solana ecosystem hack after Wormhole, illustrating the continued risk profile of high-value DeFi protocols built on Solana.

Sources

Timeline

2021-08-01

Jump Trading acquires Certus One, the original developer of Wormhole, bringing the protocol under Jump Crypto's stewardship.

Fortune

2022-02-02

Wormhole exploited for 120,000 wETH (~$326M) via deprecated load_instruction_at function; attacker mints wETH on Solana without locking ETH collateral. Primary attacker Ethereum address: 0x629e7da20197a5429d30da36e77d06cdf796b71a.

CoinDesk

2022-02-03

Jump Crypto deposits 120,000 ETH into Wormhole bridge to replenish stolen funds, described as the largest DeFi bailout to date. Wormhole reopens.

CoinDesk

2023-01-14

Stolen funds move after approximately one year of dormancy. Exploiter activates Solana and Ethereum wallets within one hour of each other, bridging ~202,651 SOL and ~2.68M USDCet from Solana to Ethereum.

Elliptic

2023-01-23

Wormhole hacker converts 95,630 ETH into stETH and wstETH via 1inch and OpenOcean DEXes, and uses staked ETH as MakerDAO collateral to borrow DAI in a recursive collateralization strategy.

CoinTelegraph

2023-02-21

English High Court issues injunction ordering Oasis to retrieve assets associated with the Wormhole exploit wallet.

CoinDesk

2023-02-24

Jump Crypto and Oasis execute court-ordered counter-exploit, recovering approximately $140M net from the hacker's DeFi vaults. Oasis discloses it used a previously unknown admin multisig vulnerability to carry out the operation.

Blockworks

2023-05-01

Wormhole Labs formally incorporated as an independent entity, with a team of approximately 15, primarily from Jump Crypto.

Blockworks

2023-11-17

Bloomberg reports Jump Trading and Wormhole have parted ways; CEO Saeed Badreg and COO Anthony Ramirez leave Jump to run Wormhole independently.

CoinDesk

2023-11-29

Wormhole raises $225 million at a $2.5 billion valuation, the largest crypto fundraise of 2023, from investors including Brevan Howard, Coinbase Ventures, Multicoin Capital, and ParaFi.

CoinDesk

2024-03-06

Wormhole announces first airdrop of 617 million W tokens (6.17% of 10B total supply) to past protocol users.

CoinDesk

2024-04-03

W token launches on major exchanges including Binance, Bybit, OKX, and others. Wormhole debuts at approximately $3B fully diluted valuation with W priced near $1.66.

CoinDesk

2024-06-20

Fortune reports CFTC has launched an investigation into Jump Crypto. Jump Crypto President Kanav Kariya resigns shortly after. The investigation is unrelated to the Wormhole hack but reflects regulatory scrutiny of the firm that backstopped it.

Fortune

2024-12-01

SEC charges Jump Crypto's offshore entity Tai Mo Shan with misleading investors over Terra UST stability and unregistered LUNA securities dealings; Jump settles for approximately $123 million.

CCN

model: claude-code-investigator

generated: 5/10/2026, 6:08:43 AM

last updated: 5/10/2026, 6:08:43 AM

avoid.net — verified advice for a post-truth world