Data sourced from Etherscan indicates that the exploiter first swapped 95,360 ETH worth roughly $157 million on DeFi aggregator OpenOcean and then transacted smaller amounts capital through several decentralized finance protocols such as Kyber Network and 1Inch.
The exploiter levered up, borrowing DAI and interacting with several smart contracts on Lido, the top provider for liquid staking derivatives on Ethereum. The exploiter’s address, which begins with 0x629 is now the 3rd largest holder of wrapped stETH, according to data analytics platform Nansen.
Darkfi.eth (not related to DarkFi, the layer 1 blockchain with the Lunarpunk philosophy), one of the hackers who exploited the Nomad bridge in Aug. 2022 in order to rescue its funds from malicious actors, said, “Its possible that they are somehow using this to launder the money. Hard to tell for sure but there are definitely ways they could have extracted value on other wallets from this activity … Could also just be degens tho lmao, all kinda speculation at this point.”
The expoliter’s Lido shenanigans were so massive that they had a material effect on the market for the popular liquid staking derivative. Its 24-hour trading volume is up over 3000%, per CoinGecko. During the chaos of the day, stETH’s price increased relative to ETH, jumping above its 1:1 peg temporarily, before settling at 0.9985, per Dune Analytics.
The sudden activity by the exploiter prompted its victims to respond. In one transaction, an address belonging to Wormhole sent an on-chain message asking the exploiter to return the stolen funds in exchange for a $10 million bounty.
The Wormhole Network exploiter did not return a request comment to CoinDesk via Blockscan.
Here is the walk-through for the exploiter’s shuffle of funds
First, the Wormhole Network exploiter triggered a transaction on OpenOcean that swapped 96,630 ETH for 96,677 stETH, Lido’s derivative token that stands for the total value of a user’s initial staked ETH and its accrued interest.
Second, the Wormhole Network exploiter decided in another transaction to wrap 86,473 stETH.
Third, the exploiter deployed 25,000 wrapped stETH as collateral to borrow $13 million DAI.
Fourth, the exploiter used the $13 million DAI it just borrowed to accumulate almost 8,000 stETH on Kyber Network, an Ethereum-based decentralized exchange.
Fifth, the exploiter executed a transaction to wrap the roughly 8,000 stETH it received moments ago.
Sixth, the exploiter received $1.5 million DAI.
Seventh, the exploiter swapped out the $1.5 million DAI for some 923 stETH through DEX Aggregator 1Inch.
The exploiter has since continued receiving thousands of wrapped staked ether (wstETH) tokens.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.