In February 2022, we reported the news that the wormhole portal – the decentralized finance (DeFi) bridge between Solana and other blockchains – had been hacked – with 120,000 Ether (ETH) then worth around $325 million stolen.
The exploit allowed the attacker to mine 120,000 wrapped ETH on the Solana blockchain, of which 93,750 ETH was then transferred to the Ethereum blockchain.
After that, this ETH was bridged to Solana, where it remained until January 14, 2023, when funds started moving again.
What happened
A few weeks after the one-year anniversary of the hack – January 14 – the exploiter’s accounts on Ethereum and Solana revived within an hour of each other.
First, the exploiter’s Solana account (CxegPr…) transferred ten SOL to a new account (5XiqTJ…). This was followed by a transfer of 202,651.15 SOL and 2,683,305.11 USDCet (Wormhole USDC). Then 10,009 SOL were exchanged for USDCet (Wormhole USDC) and transferred to Ethereum in three transactions totaling 2,901,593.73 USDCet (Wormhole USDC).
Via Ethereum, the exploiter’s Ethereum account (0x629e…) transferred 0.2 ETH to a new account (0x8184…). That account then received bridged funds from Solana in these three corresponding transactions:
- 2,683,305.114183 USDC (Ethereum)
- 218,084,641209 USDC (Ethereum)
- 203.98844 USDC (Ethereum)
USDC was swapped for ETH using Curve SynthSwap, a new type of asset swap on Curve using Synthetix as a bridge. They are designed for large stores because they have very little slip; however, they have two parts and two transactions on the chain.
The first transaction shows a swap of 218,288.629649 USDC and the second transaction shows a receipt of 141.776268801230825515 ETH. The remainder – 2,683,305,114183 USDC – was exchanged for 1,746,31635471 ETH using 1 inch.
After this flurry of activity – which lasted approximately three hours – the funds remained inactive until January 23rd, when again within an hour of each other, both the previously mentioned Solana and Ethereum accounts began moving funds again.
At Solana, the account of the main exploiter started to finance a new account (AuZrsp…):
- Account financing transaction of one SOL.
- Transfer of 1,445,651 USDC in one transaction (returned within two minutes).
- Transfer of 1,327,786.75 USDCet in five transactions.
- Transfer of 236.46 WETH in three transactions.
- Transfer 856,526.79 DAI in four transactions.
- Transfer of 815,812.80 USDT in three transactions
All these funds were bridged to Ethereum by Wormhole to a new account (0xe317…), originally funded from the original exploiter’s account (0x629e…), and exchanged for sETH (Lido Staked ETH) before being transferred to 0x629e in one transaction of 2,078.098445258488720507 steTH. That sETH was then wrapped into 1,878.183041049763114736 wstETH.
At the same time that funds in Solana are bridged to 0xe317 on the 23rd, funds that were bridged to 0x8184 on the 14th and exchanged for Ether were transferred back to 0x629e in a single transaction of 1,888.198678438575880.
The miner then exchanged the 95,630 ETH for 95,677,79824465 stETH, which were then wrapped to be usable in a wider number of DeFi applications as 86,473,48660411 wstETH.
stETH is a rebasing token, where daily token balance changes reflect accumulated investment rewards. Some DeFi protocols require a constant balance mechanism so that stETH can be wrapped in wstETH to keep the balance fixed and allow for use in multiple DeFi applications.
The miner then used 25,000 wstETH as collateral to borrow 14,500,000 DAI on Maker. An active vault can be checked on Oasis.
DAI was later used to buy more stETH, which was then rolled into 8,055,567937454821922 wstETH.
What’s next for the exploiter?
As of today, the exploiter is the third largest holder of wstETH, with a balance of 71,407 worth approximately $128 million.
Furthermore, SOL 149,782.31 worth approximately $3.7 million remains in his Solana account.
We will continue to monitor these assets, and Elliptic is taking steps to systematically identify and flag these addresses in its tools. Virtual asset services and criminal investigators will be able to review and track them using our solutions.
You can get more intelligence and investigative insights here, or schedule a demo to see for yourself how our block analysis platform makes crypto crime research faster and easier.
DeFi Crypto Crime Compliance