Skip to main content
Sign in
Wormhole5 decisions on this page

Audit log

Every state-changing event for Wormhole: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1reviewby reviewerreviewer
    2026-05-12 21:35:22Z
    Score: 4242 (no score change)
    The Wormhole investigation page is well-researched and substantially accurate across its core factual claims. The exploit mechanics, on-chain addresses, bailout details, fundraise, and token launch are all confirmed by credible sources. Three findings warrant attention: (1) the description of the post-exploit fix names the replacement function as 'current_instruction_at' when all technical sources indicate it was 'load_instruction_at_checked'; (2) the Immunefi bug bounty maximum is stated as $5 million but the live program shows $1 million; and (3) the summary's statement that stolen funds 'remain substantially unrecovered' materially understates the recovery outcome — Kobre & Kim's public announcement indicates over $400 million was recovered by July 2024 through English court enforcement of a New York judgment, substantially more than the $140 million Oasis counter-exploit figure the page emphasizes. The timeline entry for the Tai Mo Shan SEC charges is dated December 1 instead of December 20, 2024.
    anchoranchored
    chain
    mainnet-betaslot 419,336,314
    sig
    4XHLFrDDcra9…bbKw8R7Texplorer ↗
    hash
    EBJ5TTYAJg97…SUcaZCVLsha256 → base58
    verifying row…full verify ↗
    canonical bytes (1360 B) ▸
    {"actor":"reviewer","decided_at":"2026-05-12T21:35:22.651Z","decision":"review","investigation_id":"57924d6e-a4c7-4662-8069-3e5dd2071dba","new_score":42,"page_slug":"wormhole","prev_score":42,"reason":"The Wormhole investigation page is well-researched and substantially accurate across its core factual claims. The exploit mechanics, on-chain addresses, bailout details, fundraise, and token launch are all confirmed by credible sources. Three findings warrant attention: (1) the description of the post-exploit fix names the replacement function as 'current_instruction_at' when all technical sources indicate it was 'load_instruction_at_checked'; (2) the Immunefi bug bounty maximum is stated as $5 million but the live program shows $1 million; and (3) the summary's statement that stolen funds 'remain substantially unrecovered' materially understates the recovery outcome — Kobre & Kim's public announcement indicates over $400 million was recovered by July 2024 through English court enforcement of a New York judgment, substantially more than the $140 million Oasis counter-exploit figure the page emphasizes. The timeline entry for the Tai Mo Shan SEC charges is dated December 1 instead of December 20, 2024.","score_delta":0,"sequence_num":1,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 46950c99-e89f-4172-9a91-68c3a91c82e6
  2. #2review reviseby judgejudge
    2026-05-12 21:35:22Z
    Score: 4234 (-8)
    The core factual record of the February 2022 exploit — the mechanism, on-chain addresses, dollar figures, bailout, fundraise, and governance token launch — is well-confirmed across credible sources. However, three claims were disputed and one high-priority coverage gap requires correction before the page can be approved. The security section names the post-exploit replacement function as 'current_instruction_at' when independent security firms (Kudelski, Halborn) consistently identify it as 'load_instruction_at_checked' (claim_findings[27] disputed by Tier 2 sources). The bug bounty maximum is stated as $5 million but the live Immunefi program shows $1 million (claim_findings[28] disputed by Tier 1 source). Most significantly, the summary's statement that stolen funds 'remain substantially unrecovered despite a partial $140 million counter-exploit' materially understates the recovery outcome: law firm Kobre & Kim's public announcement states over $400 million was recovered by July 2024 via English court enforcement of a New York judgment (claim_findings[7] partially_supported; coverage_gaps[0] priority high). Additionally, the timeline entry for the Tai Mo Shan SEC charges is dated December 1, 2024, but the SEC's own press release is dated December 20, 2024 (claim_findings[36] disputed by Tier 1 source).
    anchoranchored
    chain
    mainnet-betaslot 419,336,318
    sig
    4n874jcV75pE…i7PFwtkGexplorer ↗
    hash
    8SovTqKaMbdG…Hsf6Fm5Ksha256 → base58
    verifying row…full verify ↗
    canonical bytes (1674 B) ▸
    {"actor":"judge","decided_at":"2026-05-12T21:35:22.651Z","decision":"review_revise","investigation_id":"57924d6e-a4c7-4662-8069-3e5dd2071dba","new_score":34,"page_slug":"wormhole","prev_score":42,"reason":"The core factual record of the February 2022 exploit — the mechanism, on-chain addresses, dollar figures, bailout, fundraise, and governance token launch — is well-confirmed across credible sources. However, three claims were disputed and one high-priority coverage gap requires correction before the page can be approved. The security section names the post-exploit replacement function as 'current_instruction_at' when independent security firms (Kudelski, Halborn) consistently identify it as 'load_instruction_at_checked' (claim_findings[27] disputed by Tier 2 sources). The bug bounty maximum is stated as $5 million but the live Immunefi program shows $1 million (claim_findings[28] disputed by Tier 1 source). Most significantly, the summary's statement that stolen funds 'remain substantially unrecovered despite a partial $140 million counter-exploit' materially understates the recovery outcome: law firm Kobre & Kim's public announcement states over $400 million was recovered by July 2024 via English court enforcement of a New York judgment (claim_findings[7] partially_supported; coverage_gaps[0] priority high). Additionally, the timeline entry for the Tai Mo Shan SEC charges is dated December 1, 2024, but the SEC's own press release is dated December 20, 2024 (claim_findings[36] disputed by Tier 1 source).","score_delta":-8,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 0222db4a-6d66-4d14-be34-773e7a3f88ef
  3. #3publishby system:backfill
    2026-05-14 06:02:19Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 419,628,831
    sig
    49RTN8Evhtqi…rC2WJfFoexplorer ↗
    hash
    8oW3fmuR5Bd6…Ln4rGovNsha256 → base58
    verifying row…full verify ↗
    canonical bytes (35191 B) ▸
    {"actor":"system:backfill","investigation_id":"57924d6e-a4c7-4662-8069-3e5dd2071dba","kind":"publish","page_slug":"wormhole","published_at":"2026-05-14T06:02:19.694Z","sequence_num":3,"snapshot":{"content_type":"investigation","entity_name":"Wormhole","sections":[{"content":"Wormhole is a generic cross-chain messaging protocol that enables the transfer of arbitrary data and token value across a growing set of blockchains. As of 2025, Wormhole supports more than 30 networks including Ethereum, Solana, BNB Chain, Polygon, Avalanche, Arbitrum, Optimism, Base, Fantom, Aptos, and others. The protocol was originally developed by Certus One, which was acquired by Jump Trading in August 2021, bringing Wormhole under Jump Crypto's stewardship.\n\nWormhole's core architecture relies on a decentralized set of 19 validator nodes called Guardians. Each Guardian independently observes messages emitted by Wormhole's on-chain smart contracts across all supported chains. When a supermajority of 13 out of 19 Guardians cryptographically sign the same message, the network produces a Validator Action Approval (VAA), which functions as a proof enabling message delivery and asset minting on the destination chain. This guardian-based proof-of-authority model differs from fully trustless bridge designs and was the source of the 2022 exploit vulnerability.\n\nBeyond token bridging, Wormhole positions itself as a cross-chain messaging layer, with products including Native Token Transfers (NTT), which allows token issuers to maintain native token supply across chains without liquidity pools, and a Connect SDK for integrating cross-chain functionality into decentralized applications.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"Understanding Wormhole: The Cross-Chain Protocol Connecting Blockchains","type":"other","url":"https://eco.com/support/en/articles/13052583-understanding-wormhole-the-cross-chain-protocol-connecting-blockchains"},{"credibility":2,"name":"Wormhole Bridges: How Cross-Chain Transfers Work","type":"other","url":"https://financefeeds.com/wormhole-bridges-how-cross-chain-transfers-work/"},{"credibility":1,"name":"Wormhole Native Token Transfers Product Page","type":"official","url":"https://wormhole.com/products/native-token-transfers"}]},{"content":"On February 2, 2022, an unknown attacker exploited a critical vulnerability in Wormhole's Solana smart contracts, minting 120,000 wrapped ETH (wETH) on Solana without depositing any corresponding ETH collateral on Ethereum. At prevailing prices, the stolen assets were valued at approximately $326 million, making it the largest hack in Solana ecosystem history at the time.\n\nThe attack was technically rooted in Wormhole's reliance on a deprecated Solana standard library function called load_instruction_at. The signature verification flow in Wormhole's post_vaa instruction delegated responsibility through a chain: post_vaa called verify_signatures, which in turn called the Solana Secp256k1 program. The deprecated load_instruction_at function was used to confirm that a Secp256k1 verification instruction had been included in the transaction — but critically, this function does not validate whether the account it reads from is the real Solana Instructions sysvar. The attacker exploited this gap by constructing a fake sysvar account pre-loaded with data that made it appear as though a valid Secp256k1 call had been made. This forged account was accepted by the deprecated function, producing a valid SignatureSet without any legitimate guardian signatures. The attacker then used this fraudulent SignatureSet to call complete_wrapped and mint 120,000 wETH on Solana.\n\nAfter minting the wETH on Solana, the attacker bridged 93,750 wETH back across to Ethereum and redeemed it for native ETH, transferring it to Ethereum address 0x629e7da20197a5429d30da36e77d06cdf796b71a. The remaining approximately 26,250 wETH equivalent was initially held in a Solana wallet at address CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka. On-chain data also shows the attacker received 0.94 ETH from Tornado Cash prior to the attack, likely to cover transaction fees.\n\nWormhole posted a message during the incident offering a $10 million bug bounty to the attacker in exchange for returning the funds and providing exploit details; the attacker did not respond.","heading":"February 2022 Exploit — $326 Million Signature Verification Bypass","severity":"critical","sources":[{"credibility":2,"name":"Explained: The Wormhole Hack (February 2022) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-wormhole-hack-february-2022"},{"credibility":1,"name":"Blockchain Bridge Wormhole Suffers Possible Exploit Worth Over $326M — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2022/02/02/blockchain-bridge-wormhole-suffers-possible-exploit-worth-over-250m"},{"credibility":2,"name":"Wormhole Hack: Lessons From The Wormhole Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/wormhole-hack-february-2022/"},{"credibility":1,"name":"$320 million stolen from Wormhole, bridge linking Solana and Ethereum — CNBC","type":"news_article","url":"https://www.cnbc.com/2022/02/02/320-million-stolen-from-wormhole-bridge-linking-solana-and-ethereum.html"},{"credibility":2,"name":"Wormhole Bridge Exploit Analysis — CertiK","type":"research","url":"https://certik.medium.com/wormhole-bridge-exploit-analysis-5068d79cbb71"},{"credibility":2,"name":"Quick Analysis of the Wormhole Attack — Kudelski Security","type":"research","url":"https://kudelskisecurity.com/research/quick-analysis-of-the-wormhole-attack"},{"credibility":1,"name":"Wormhole Network Exploiter Address on Etherscan","type":"on_chain","url":"https://etherscan.io/address/0x629e7da20197a5429d30da36e77d06cdf796b71a"}]},{"content":"Within approximately 24 hours of the exploit, Jump Crypto — the crypto arm of Chicago-based trading firm Jump Trading — announced it had deposited 120,000 ETH directly into the Wormhole bridge, fully replenishing the stolen collateral. Jump Crypto publicly stated it 'believes in a multichain future and that Wormhole is essential infrastructure' and confirmed it 'replaced 120K ETH to make community members whole.' This was widely described as the largest DeFi bailout in history at that time. Jump Trading had acquired Certus One, the original Wormhole development team, in August 2021, giving it a direct financial stake in the protocol's survival.\n\nOn February 21, 2023, the English High Court of England and Wales issued an injunction ordering Oasis, a decentralized finance platform operated by MakerDAO ecosystem participants, to take steps to seize assets associated with the Wormhole exploit address. Oasis disclosed that it executed the court order by exploiting a previously undisclosed vulnerability in the design of its own admin multisig, allowing it to gain control over the exploiter's DeFi vaults on the platform. The operation — coordinated with Jump Crypto as the authorized third party under the court order — resulted in the recovery of approximately $140 million in assets (net of repaid DAI collateral debt). The assets were immediately transferred to a wallet controlled by the court-authorized third party.\n\nThe Oasis counter-exploit drew significant commentary in the crypto community regarding the implications for DeFi's 'immutability' guarantees, as Oasis was able to unilaterally access user vaults under judicial order. The exploiter filed a counter-claim in the proceedings, and further legal activity was reported in New York courts in 2024, where a judgment was obtained declaring the stolen assets victims had a proprietary right and interest in the stolen funds.","heading":"Jump Crypto Bailout and Fund Recovery Attempts","severity":"high","sources":[{"credibility":1,"name":"Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout' — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/jump-crypto-replenishes-funds-from-320m-wormhole-hack-in-largest-ever-defi-bailout"},{"credibility":1,"name":"Jump Trading Backstops Wormhole's $320M Exploit Loss — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2022/02/03/jump-trading-backstops-wormholes-320m-exploit-loss-sources"},{"credibility":1,"name":"$320M Crypto Hack: Jump Trading Refunds Customer Losses — Fortune","type":"news_article","url":"https://fortune.com/2022/02/04/320-million-crypto-hack-blockchain-ether-jump-trading-wormhole-refund-customer-losses/"},{"credibility":1,"name":"Oasis Exploits Its Own Wallet Software to Seize Crypto Stolen in Wormhole Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/02/24/oasis-exploits-its-own-wallet-software-to-seize-crypto-stolen-in-wormhole-hack"},{"credibility":2,"name":"Jump Crypto Just Counter-Exploited the Wormhole Hacker for $140 Million — Blockworks","type":"news_article","url":"https://blockworks.com/news/jump-crypto-wormhole-hack-recovery"},{"credibility":1,"name":"Jump Crypto Replenishes $320 Million Stolen in Wormhole Hack — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2022-02-03/jump-trading-seen-as-replenishing-stolen-amount-in-wormhole-hack"}]},{"content":"The following on-chain addresses have been publicly identified in connection with the February 2022 exploit:\n\n- Primary Ethereum exploiter address: 0x629e7da20197a5429d30da36e77d06cdf796b71a (labeled 'Wormhole Network Exploiter' on Etherscan)\n- Primary Solana exploiter address: CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka\n- Intermediate Ethereum address used during laundering: 0x8184ef7a6e54c72f56577a45adc5aed68037af51\n- Final Ethereum destination address: 0xe3174149f80d1ea429970ec5043e361bc003ddbd\n\nThe stolen funds remained dormant on-chain for nearly one year. On January 14, 2023, the exploiter's accounts on both Ethereum and Solana became active within approximately one hour of each other. On Solana, approximately 202,651 SOL and 2,683,305 USDCet were moved to new accounts and bridged to Ethereum. On January 23, 2023, additional activity occurred in which 95,630 ETH was sent to decentralized exchanges including OpenOcean and 1inch and converted into liquid staking tokens: Lido Finance's stETH and wrapped stETH (wstETH). The exploiter then used approximately 25,000 wstETH as collateral on MakerDAO to borrow approximately 14.5 million DAI, and cycled borrowed funds back into additional stETH purchases — a recursive collateralization strategy designed to obscure fund provenance through DeFi protocol interactions.\n\nAs of the Elliptic report in early 2023, the exploiter held approximately 71,407 wstETH, making them the third-largest holder of wstETH on Ethereum at the time. A portion of these assets was subsequently seized via the Oasis court-ordered counter-exploit in February 2023. The remaining unrecovered funds continue to be tracked by blockchain analytics firms.","heading":"On-Chain Addresses and Stolen Fund Movements","severity":"high","sources":[{"credibility":2,"name":"Stolen funds from the Wormhole hack on the move — Elliptic","type":"research","url":"https://www.elliptic.co/blog/analysis/stolen-funds-from-the-wormhole-hack-on-the-move-after-laying-dormant-for-almost-a-year"},{"credibility":1,"name":"Wormhole Network Exploiter — Etherscan","type":"on_chain","url":"https://etherscan.io/address/0x629e7da20197a5429d30da36e77d06cdf796b71a"},{"credibility":1,"name":"Wormhole hacker moves $155M — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/wormhole-hacker-moves-155m-in-biggest-shift-of-stolen-funds-in-months"},{"credibility":2,"name":"Solana Wormhole Compromise: 120k Stolen ETH — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/solana-wormhole-compromise-120k-stolen-eth"},{"credibility":2,"name":"Wormhole attackers transfer $2.9M USDC to new wallet — Crypto.news","type":"news_article","url":"https://crypto.news/wormhole-attackers-transfer-2-9m-usdc-to-a-new-wallet-address-months-after-hack/"}]},{"content":"No direct criminal charges or regulatory enforcement actions have been publicly identified against Wormhole or Wormhole Labs itself as of mid-2026. The legal proceedings related to the hack have been primarily civil in nature.\n\nOn February 21, 2023, the High Court of England and Wales issued an injunction directed at Oasis (oasis.app) ordering the retrieval of assets tied to the Wormhole exploit wallet. This order was carried out using Oasis's admin multisig in coordination with a court-authorized third party, recovering approximately $140 million net. Separately, in March 2024, a New York court issued a judgment declaring that victims of the Wormhole hack hold a proprietary interest in the stolen assets, a ruling that could support future recovery efforts.\n\nJump Crypto, the entity that backstopped the hack losses and was Wormhole's parent organization at the time, subsequently faced separate regulatory scrutiny. In June 2024, Fortune reported that the U.S. Commodity Futures Trading Commission (CFTC) had launched an investigation into Jump Crypto. Jump Crypto President Kanav Kariya resigned shortly thereafter. Additionally, in December 2024, the SEC charged Jump Crypto's offshore entity, Tai Mo Shan Limited, with misleading investors about the stability of Terraform Labs' UST stablecoin and engaging in unregistered securities dealings in LUNA tokens; Jump agreed to settle for approximately $123 million. These regulatory actions against Jump were related to the Terra/LUNA collapse, not the Wormhole hack directly, but reflect broader regulatory scrutiny of the firm that underwrote Wormhole's losses.","heading":"Regulatory and Legal Aftermath","severity":"high","sources":[{"credibility":1,"name":"Oasis Exploits Its Own Wallet Software — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/02/24/oasis-exploits-its-own-wallet-software-to-seize-crypto-stolen-in-wormhole-hack"},{"credibility":1,"name":"The CFTC is probing Jump Crypto — Fortune","type":"news_article","url":"https://fortune.com/crypto/2024/06/20/cftc-jump-crypto-behnam-kanav-kariya-sec/"},{"credibility":2,"name":"Jump Crypto Under CFTC Scrutiny — CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/jump-crypto-cftc-scrutiny-series-high-profile-incidents/"},{"credibility":2,"name":"Jump Crypto President Resigns Amid CFTC Investigation — CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/jump-crypto-president-resigns-amid-cftc-investigation/"}]},{"content":"Following the exploit, Wormhole patched the immediate vulnerability by replacing the deprecated load_instruction_at function with the properly validated current_instruction_at equivalent, which correctly verifies the Instructions sysvar address. The bridge relaunched after the patch and Jump Crypto's fund replenishment.\n\nIn subsequent years, Wormhole implemented a layered security architecture. The Guardian Network was supplemented by two additional on-chain security mechanisms: the Global Accountant, which performs integrity checks on every token transfer to ensure that no chain can have more tokens minted or burned than were ever deposited, enforced by all 19 Guardians; and the Governor, which monitors and rate-limits asset outflows per chain per time period to contain the blast radius of any future exploit.\n\nAs of 2024, Wormhole reported completing 29 third-party security audits. The protocol also operates one of the larger bug bounty programs in the DeFi space through Immunefi, with a maximum payout of $5 million. Google Cloud was added as one of the 19 Guardian node operators, providing additional infrastructure redundancy. Wormhole has also announced development of zero-knowledge proof-based verification mechanisms as a longer-term architectural improvement.\n\nIn July 2023, TechCrunch reported on Wormhole's security improvements and rebuilding efforts, noting the protocol's attempt to move beyond the reputational damage of the hack.","heading":"Security Improvements and Post-Hack Rebuilding","severity":"medium","sources":[{"credibility":1,"name":"Wormhole Security Page","type":"official","url":"https://wormhole.com/platform/security"},{"credibility":1,"name":"Wormhole digs out of its hole with new security measures — TechCrunch","type":"news_article","url":"https://techcrunch.com/2023/07/27/wormhole-new-security-320m-hack/"},{"credibility":1,"name":"Wormhole Integrates Google Cloud Into Guardian Security System","type":"official","url":"https://wormhole.com/blog/wormhole-integrates-google-cloud-into-guardian-security-system"},{"credibility":1,"name":"Guardians — Wormhole Docs","type":"official","url":"https://wormhole.com/docs/protocol/infrastructure/guardians/"}]},{"content":"In mid-2023, the Wormhole team began operating independently of Jump Trading. The team formally incorporated as Wormhole Labs in May 2023, with approximately 15 staff, most from Jump Crypto, departing the firm in August 2023 to focus solely on the protocol. CEO Saeed Badreg and COO Anthony Ramirez left Jump Trading to lead Wormhole as an independent entity. Bloomberg first reported the separation in November 2023.\n\nAlso in November 2023, Wormhole announced a $225 million funding round at a $2.5 billion valuation — the largest crypto fundraise of 2023 by deal size. Investors included Brevan Howard, Coinbase Ventures, Multicoin Capital, ParaFi Capital, Dialectic, Borderless Capital, Arrington Capital, and Jump Trading (retaining a stake). The investment was structured as token warrants rather than equity, with investors receiving rights to a portion of the yet-to-be-launched W token supply.","heading":"Independence from Jump Trading and $225M Fundraise","severity":"low","sources":[{"credibility":1,"name":"Jump Trading, Wormhole Part Ways — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/11/17/jump-trading-wormhole-part-ways-amid-tough-crypto-market-bloomberg"},{"credibility":1,"name":"Wormhole raises $225 million at a $2.5 billion valuation — Fortune","type":"news_article","url":"https://fortune.com/crypto/2023/11/29/wormhole-raises-225-million-2-5-billion-valuation-jump-crypto-split/"},{"credibility":1,"name":"Blockchain Messaging Platform Wormhole Raises $225M at $2.5B Valuation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/11/29/blockchain-messaging-platform-wormhole-raises-225m-at-25b-valuation"},{"credibility":1,"name":"Brevan Howard Backs Jump-Incubated Wormhole in $225 Million Round — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2023-11-29/wormhole-jump-incubated-crypto-project-raises-at-2-5-billion-valuation"},{"credibility":2,"name":"Wormhole execs depart Jump Trading to run protocol independently — Blockworks","type":"news_article","url":"https://blockworks.co/news/wormhole-jump-trading-separate"}]},{"content":"In March 2024, Wormhole announced plans to distribute 617 million W tokens — representing 6.17% of a total supply of 10 billion — to past protocol users in an airdrop. The W token launched on April 3, 2024, with listings on Binance, Bybit, Bitget, OKX, Backpack, and Gate.io. W debuted at approximately $1.66 and the total protocol valuation at launch was approximately $3 billion fully diluted.\n\nUnder the initial tokenomics, 82% of the total W supply was locked at launch with a four-year vesting schedule. Allocations included 5.1% to the Guardian Network (vested), 17% to the community (11% unlocked at TGE for the airdrop and early programs), and 11.6% to strategic network participants. The token is intended to power governance of the Wormhole DAO, with token holders eventually gaining voting rights over protocol parameters and treasury management.\n\nIn September 2025, Wormhole announced a W 2.0 tokenomics upgrade introducing a 4% targeted base yield on W, a Wormhole Reserve mechanism, and a shift from annual token unlock cliffs to bi-weekly unlock schedules.","heading":"W Token Launch and Governance","severity":"low","sources":[{"credibility":1,"name":"Wormhole to Airdrop 617M W Tokens to Past Users — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/03/06/wormhole-to-release-617m-w-tokens-in-first-airdrop"},{"credibility":1,"name":"Wormhole Debuts at $3B Valuation in 617M Token Airdrop — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/04/03/wormhole-debuts-at-3b-valuation-in-617m-token-airdrop"},{"credibility":1,"name":"Wormhole W Tokenomics — Official Blog","type":"official","url":"https://wormhole.com/blog/wormhole-w-tokenomics"},{"credibility":1,"name":"Wormhole announces W token 2.0 upgrade — Official Blog","type":"official","url":"https://wormhole.com/blog/wormhole-announces-w-token-2-0-upgrade"}]},{"content":"The Wormhole exploit occurred within a broader pattern of cross-chain bridge vulnerabilities that made 2022 the most destructive year for bridge hacks in DeFi history, with over $1.3 billion stolen across multiple protocols.\n\nThe Ronin Bridge (Axie Infinity) was hacked for approximately $625 million in March 2022 when attackers compromised private keys of five out of nine validator nodes through a spear-phishing campaign, gaining the threshold needed to authorize fraudulent withdrawals. The Harmony Horizon Bridge was exploited for approximately $100 million in June 2022 through compromise of a 2-of-5 multisig setup. The Nomad Bridge lost approximately $190 million in August 2022 when a smart contract upgrade introduced a bug allowing any user to forge transfer proofs, triggering a chaotic free-for-all in which roughly 80% of losses were caused by copycat exploiters after the original attacker.\n\nSecurity researchers have categorized cross-chain bridge vulnerabilities into two broad types: smart contract logic flaws (as in Wormhole and Nomad) and compromised private keys or validator credentials (as in Ronin and Harmony). Chainlink has identified seven distinct vulnerability categories for bridge protocols. Reports from CertiK and other security firms have noted that cross-chain bridges represent high-value targets because they hold large pools of locked assets on one chain while minting equivalent representations on another, creating a systemic risk amplifier for the DeFi ecosystem.\n\nThe Wormhole hack is also referenced as historical context in analyses of subsequent Solana ecosystem exploits. The Drift Protocol exploit of April 2026, which involved losses of approximately $285 million, became the second-largest Solana ecosystem hack after Wormhole, illustrating the continued risk profile of high-value DeFi protocols built on Solana.","heading":"Cross-Chain Bridge Security Context","severity":"high","sources":[{"credibility":2,"name":"5 Biggest Crypto Cross-Chain Bridge Hacks in 2022 — BitcoinTaxes","type":"research","url":"https://bitcoin.tax/blog/cross-chain-bridge-hacks/"},{"credibility":2,"name":"Cross-Chain Vulnerabilities & Bridge Exploits in 2022 — CertiK","type":"research","url":"https://www.certik.com/resources/blog/GuBAYoHdhrS1mK9Nyfyto-cross-chain-vulnerabilities-and-bridge-exploits-in-2022"},{"credibility":2,"name":"7 Cross-Chain Bridge Vulnerabilities Explained — Chainlink","type":"research","url":"https://chain.link/education-hub/cross-chain-bridge-vulnerabilities"},{"credibility":1,"name":"Ronin Attack Shows Cross-Chain Crypto Is a 'Bridge' Too Far — CoinDesk","type":"news_article","url":"https://www.coindesk.com/layer2/2022/04/05/ronin-attack-shows-cross-chain-crypto-is-a-bridge-too-far"},{"credibility":1,"name":"Report: Half of all DeFi exploits are cross-bridge hacks — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/report-half-of-all-defi-exploits-are-cross-bridge-hacks"},{"credibility":1,"name":"Dissecting the Nomad Bridge Hack — Mandiant / Google Cloud","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/dissecting-nomad-bridge-hack"}]}],"sources_used":[{"credibility":2,"name":"Explained: The Wormhole Hack — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-wormhole-hack-february-2022"},{"credibility":2,"name":"Wormhole Hack: Lessons From The Wormhole Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/wormhole-hack-february-2022/"},{"credibility":1,"name":"Blockchain Bridge Wormhole Suffers Possible Exploit Worth Over $326M — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2022/02/02/blockchain-bridge-wormhole-suffers-possible-exploit-worth-over-250m"},{"credibility":1,"name":"$320 million stolen from Wormhole — CNBC","type":"news_article","url":"https://www.cnbc.com/2022/02/02/320-million-stolen-from-wormhole-bridge-linking-solana-and-ethereum.html"},{"credibility":1,"name":"Jump Trading Backstops Wormhole's $320M Exploit Loss — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2022/02/03/jump-trading-backstops-wormholes-320m-exploit-loss-sources"},{"credibility":1,"name":"Jump Crypto replenishes funds — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/jump-crypto-replenishes-funds-from-320m-wormhole-hack-in-largest-ever-defi-bailout"},{"credibility":1,"name":"Jump Crypto Replenishes $320 Million — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2022-02-03/jump-trading-seen-as-replenishing-stolen-amount-in-wormhole-hack"},{"credibility":1,"name":"Wormhole hack — Fortune","type":"news_article","url":"https://fortune.com/2022/02/04/320-million-crypto-hack-blockchain-ether-jump-trading-wormhole-refund-customer-losses/"},{"credibility":2,"name":"Stolen funds from Wormhole hack on the move — Elliptic","type":"research","url":"https://www.elliptic.co/blog/analysis/stolen-funds-from-the-wormhole-hack-on-the-move-after-laying-dormant-for-almost-a-year"},{"credibility":1,"name":"Wormhole hacker moves $155M — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/wormhole-hacker-moves-155m-in-biggest-shift-of-stolen-funds-in-months"},{"credibility":1,"name":"Oasis Exploits Its Own Wallet Software — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/02/24/oasis-exploits-its-own-wallet-software-to-seize-crypto-stolen-in-wormhole-hack"},{"credibility":2,"name":"Jump Crypto Counter-Exploited Wormhole Hacker for $140M — Blockworks","type":"news_article","url":"https://blockworks.com/news/jump-crypto-wormhole-hack-recovery"},{"credibility":1,"name":"Jump Trading, Wormhole Part Ways — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/11/17/jump-trading-wormhole-part-ways-amid-tough-crypto-market-bloomberg"},{"credibility":1,"name":"Wormhole raises $225 million at $2.5 billion valuation — Fortune","type":"news_article","url":"https://fortune.com/crypto/2023/11/29/wormhole-raises-225-million-2-5-billion-valuation-jump-crypto-split/"},{"credibility":1,"name":"Wormhole raises $225M at $2.5B valuation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/11/29/blockchain-messaging-platform-wormhole-raises-225m-at-25b-valuation"},{"credibility":1,"name":"Brevan Howard Backs Wormhole — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2023-11-29/wormhole-jump-incubated-crypto-project-raises-at-2-5-billion-valuation"},{"credibility":1,"name":"Wormhole to Airdrop 617M W Tokens — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/03/06/wormhole-to-release-617m-w-tokens-in-first-airdrop"},{"credibility":1,"name":"Wormhole Debuts at $3B Valuation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/04/03/wormhole-debuts-at-3b-valuation-in-617m-token-airdrop"},{"credibility":1,"name":"CFTC probing Jump Crypto — Fortune","type":"news_article","url":"https://fortune.com/crypto/2024/06/20/cftc-jump-crypto-behnam-kanav-kariya-sec/"},{"credibility":1,"name":"Wormhole Network Exploiter — Etherscan","type":"on_chain","url":"https://etherscan.io/address/0x629e7da20197a5429d30da36e77d06cdf796b71a"},{"credibility":2,"name":"Wormhole execs depart Jump Trading — Blockworks","type":"news_article","url":"https://blockworks.co/news/wormhole-jump-trading-separate"},{"credibility":1,"name":"Wormhole Security Page","type":"official","url":"https://wormhole.com/platform/security"},{"credibility":1,"name":"Wormhole W Tokenomics — Official","type":"official","url":"https://wormhole.com/blog/wormhole-w-tokenomics"},{"credibility":2,"name":"Solana Wormhole Compromise — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/solana-wormhole-compromise-120k-stolen-eth"},{"credibility":2,"name":"5 Biggest Crypto Cross-Chain Bridge Hacks in 2022 — BitcoinTaxes","type":"research","url":"https://bitcoin.tax/blog/cross-chain-bridge-hacks/"},{"credibility":1,"name":"Wormhole digs out of its hole — TechCrunch","type":"news_article","url":"https://techcrunch.com/2023/07/27/wormhole-new-security-320m-hack/"},{"credibility":2,"name":"Wormhole bridge exploit analysis — CertiK","type":"research","url":"https://certik.medium.com/wormhole-bridge-exploit-analysis-5068d79cbb71"},{"credibility":2,"name":"Quick Analysis of the Wormhole Attack — Kudelski Security","type":"research","url":"https://kudelskisecurity.com/research/quick-analysis-of-the-wormhole-attack"}],"summary":"Wormhole is a cross-chain messaging and token bridge protocol enabling interoperability across more than 30 blockchain networks, originally developed by Certus One and later backed by Jump Crypto. On February 2, 2022, Wormhole suffered a $326 million exploit — the largest hack in Solana ecosystem history at the time — when an attacker exploited a deprecated Solana function to forge guardian signatures and mint 120,000 wETH without locking any collateral. Jump Crypto immediately replenished the stolen funds to keep users whole, and the project subsequently raised $225 million at a $2.5 billion valuation, separated from Jump Trading as an independent entity, and launched the W governance token in April 2024; as of 2026, the stolen funds remain substantially unrecovered despite a partial $140 million counter-exploit via English court order.","timeline":[{"date":"2021-08-01","event":"Jump Trading acquires Certus One, the original developer of Wormhole, bringing the protocol under Jump Crypto's stewardship.","source":"Fortune","source_url":"https://fortune.com/2022/02/04/320-million-crypto-hack-blockchain-ether-jump-trading-wormhole-refund-customer-losses/"},{"date":"2022-02-02","event":"Wormhole exploited for 120,000 wETH (~$326M) via deprecated load_instruction_at function; attacker mints wETH on Solana without locking ETH collateral. Primary attacker Ethereum address: 0x629e7da20197a5429d30da36e77d06cdf796b71a.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2022/02/02/blockchain-bridge-wormhole-suffers-possible-exploit-worth-over-250m"},{"date":"2022-02-03","event":"Jump Crypto deposits 120,000 ETH into Wormhole bridge to replenish stolen funds, described as the largest DeFi bailout to date. Wormhole reopens.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2022/02/03/jump-trading-backstops-wormholes-320m-exploit-loss-sources"},{"date":"2023-01-14","event":"Stolen funds move after approximately one year of dormancy. Exploiter activates Solana and Ethereum wallets within one hour of each other, bridging ~202,651 SOL and ~2.68M USDCet from Solana to Ethereum.","source":"Elliptic","source_url":"https://www.elliptic.co/blog/analysis/stolen-funds-from-the-wormhole-hack-on-the-move-after-laying-dormant-for-almost-a-year"},{"date":"2023-01-23","event":"Wormhole hacker converts 95,630 ETH into stETH and wstETH via 1inch and OpenOcean DEXes, and uses staked ETH as MakerDAO collateral to borrow DAI in a recursive collateralization strategy.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/wormhole-hacker-moves-155m-in-biggest-shift-of-stolen-funds-in-months"},{"date":"2023-02-21","event":"English High Court issues injunction ordering Oasis to retrieve assets associated with the Wormhole exploit wallet.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2023/02/24/oasis-exploits-its-own-wallet-software-to-seize-crypto-stolen-in-wormhole-hack"},{"date":"2023-02-24","event":"Jump Crypto and Oasis execute court-ordered counter-exploit, recovering approximately $140M net from the hacker's DeFi vaults. Oasis discloses it used a previously unknown admin multisig vulnerability to carry out the operation.","source":"Blockworks","source_url":"https://blockworks.com/news/jump-crypto-wormhole-hack-recovery"},{"date":"2023-05-01","event":"Wormhole Labs formally incorporated as an independent entity, with a team of approximately 15, primarily from Jump Crypto.","source":"Blockworks","source_url":"https://blockworks.co/news/wormhole-jump-trading-separate"},{"date":"2023-11-17","event":"Bloomberg reports Jump Trading and Wormhole have parted ways; CEO Saeed Badreg and COO Anthony Ramirez leave Jump to run Wormhole independently.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2023/11/17/jump-trading-wormhole-part-ways-amid-tough-crypto-market-bloomberg"},{"date":"2023-11-29","event":"Wormhole raises $225 million at a $2.5 billion valuation, the largest crypto fundraise of 2023, from investors including Brevan Howard, Coinbase Ventures, Multicoin Capital, and ParaFi.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2023/11/29/blockchain-messaging-platform-wormhole-raises-225m-at-25b-valuation"},{"date":"2024-03-06","event":"Wormhole announces first airdrop of 617 million W tokens (6.17% of 10B total supply) to past protocol users.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2024/03/06/wormhole-to-release-617m-w-tokens-in-first-airdrop"},{"date":"2024-04-03","event":"W token launches on major exchanges including Binance, Bybit, OKX, and others. Wormhole debuts at approximately $3B fully diluted valuation with W priced near $1.66.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2024/04/03/wormhole-debuts-at-3b-valuation-in-617m-token-airdrop"},{"date":"2024-06-20","event":"Fortune reports CFTC has launched an investigation into Jump Crypto. Jump Crypto President Kanav Kariya resigns shortly after. The investigation is unrelated to the Wormhole hack but reflects regulatory scrutiny of the firm that backstopped it.","source":"Fortune","source_url":"https://fortune.com/crypto/2024/06/20/cftc-jump-crypto-behnam-kanav-kariya-sec/"},{"date":"2024-12-01","event":"SEC charges Jump Crypto's offshore entity Tai Mo Shan with misleading investors over Terra UST stability and unregistered LUNA securities dealings; Jump settles for approximately $123 million.","source":"CCN","source_url":"https://www.ccn.com/news/crypto/jump-crypto-cftc-scrutiny-series-high-profile-incidents/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision ad4a902c-2243-48c7-86d6-2fefd0e917ab
  4. #4reviewby reviewerreviewer
    2026-06-14 23:15:48Z
    Score: 3434 (no score change)
    Blue-chip calibration review (Prompt A). Verdict: over-penalized. Page content is treated as accurate; the trust_score band is miscalibrated. Wormhole is a legitimate, actively operating cross-chain messaging protocol that suffered a third-party exploit in February 2022. The hack was due to a deprecated Solana function, not fraud or intentional negligence by the entity. Jump Crypto made users whole within 24 hours, and by July 2024 all stolen assets were recovered via court proceedings (over $400M in value). The page's most significant factual error is stating '$140M remain unrecovered as of 2026' — this is stale: the recovery was completed in full on July 19, 2024. The protocol has since raised $225M, launched a governance token at a $3B+ FDV, and continues operations with $65B+ in processed transactions and institutional partners including BlackRock, Circle, and Uniswap. The Jump Crypto regulatory actions (CFTC probe, $123M SEC settlement) relate to Terra/UST conduct entirely separate from Wormhole. Under the post-policy band semantics, a score of 34/WARNING is mis-banded: there is no unresolved severe incident (recovery is complete), no fraud by the entity, and the protocol is actively operating with material institutional backing. A CAUTIONARY score of 62 is appropriate — the 2022 exploit warrants a permanent caveat about bridge security history and the indirect regulatory cloud from the Jump Crypto parent era, but the entity itself is legitimate and the loss event has been resolved.
    anchoranchored
    chain
    mainnet-betaslot 426,514,288
    sig
    2czJxxaw5kdv…XBjUXpwNexplorer ↗
    hash
    E7ATt6AxYR7g…E5aUiZ1zsha256 → base58
    verifying row…full verify ↗
    canonical bytes (1856 B) ▸
    {"actor":"reviewer","decided_at":"2026-06-14T23:15:48.493Z","decision":"review","investigation_id":"57924d6e-a4c7-4662-8069-3e5dd2071dba","new_score":34,"page_slug":"wormhole","prev_score":34,"reason":"Blue-chip calibration review (Prompt A). Verdict: over-penalized. Page content is treated as accurate; the trust_score band is miscalibrated. Wormhole is a legitimate, actively operating cross-chain messaging protocol that suffered a third-party exploit in February 2022. The hack was due to a deprecated Solana function, not fraud or intentional negligence by the entity. Jump Crypto made users whole within 24 hours, and by July 2024 all stolen assets were recovered via court proceedings (over $400M in value). The page's most significant factual error is stating '$140M remain unrecovered as of 2026' — this is stale: the recovery was completed in full on July 19, 2024. The protocol has since raised $225M, launched a governance token at a $3B+ FDV, and continues operations with $65B+ in processed transactions and institutional partners including BlackRock, Circle, and Uniswap. The Jump Crypto regulatory actions (CFTC probe, $123M SEC settlement) relate to Terra/UST conduct entirely separate from Wormhole. Under the post-policy band semantics, a score of 34/WARNING is mis-banded: there is no unresolved severe incident (recovery is complete), no fraud by the entity, and the protocol is actively operating with material institutional backing. A CAUTIONARY score of 62 is appropriate — the 2022 exploit warrants a permanent caveat about bridge security history and the indirect regulatory cloud from the Jump Crypto parent era, but the entity itself is legitimate and the loss event has been resolved.","score_delta":0,"sequence_num":4,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 0c797717-8f96-4003-8672-666216512b54
  5. #5review approveby judgejudge
    2026-06-14 23:15:48Z
    Score: 3462 (+28)
    This is a severity-calibration adjudication. The review found 0% disputed claims — all six claim_findings are fully supported by Tier 1 and Tier 2 sources — and the page content stands as accurate. The current score of 34 (WARNING band) is demonstrably miscalibrated: the WARNING band requires an unresolved severe incident or elevated fraud risk, but claim_findings[1] confirms users were made whole within 24 hours of the 2022 exploit, and claim_findings[2] confirms full asset recovery was completed by July 19, 2024, making the page's statement that '$140M remain unrecovered as of 2026' stale. The WARNING score also conflates Jump Crypto's separate CFTC/SEC regulatory actions over Terra/UST (claim_findings[4]) with Wormhole itself, despite the page noting no direct charges against Wormhole. claim_findings[3] and [5] document a $225M institutional fundraise, $65B+ in processed transactions, and active integration with BlackRock, Circle, and Uniswap — consistent with CAUTIONARY (score 62), which appropriately preserves a permanent caveat for the protocol's bridge security history while reflecting that the incident is resolved and the entity is legitimate.
    anchoranchored
    chain
    mainnet-betaslot 426,514,291
    sig
    VQXF2468DMfc…n9afruj5explorer ↗
    hash
    FVmQXBJmA7LW…QQZ13X9wsha256 → base58
    verifying row…full verify ↗
    canonical bytes (1519 B) ▸
    {"actor":"judge","decided_at":"2026-06-14T23:15:48.493Z","decision":"review_approve","investigation_id":"57924d6e-a4c7-4662-8069-3e5dd2071dba","new_score":62,"page_slug":"wormhole","prev_score":34,"reason":"This is a severity-calibration adjudication. The review found 0% disputed claims — all six claim_findings are fully supported by Tier 1 and Tier 2 sources — and the page content stands as accurate. The current score of 34 (WARNING band) is demonstrably miscalibrated: the WARNING band requires an unresolved severe incident or elevated fraud risk, but claim_findings[1] confirms users were made whole within 24 hours of the 2022 exploit, and claim_findings[2] confirms full asset recovery was completed by July 19, 2024, making the page's statement that '$140M remain unrecovered as of 2026' stale. The WARNING score also conflates Jump Crypto's separate CFTC/SEC regulatory actions over Terra/UST (claim_findings[4]) with Wormhole itself, despite the page noting no direct charges against Wormhole. claim_findings[3] and [5] document a $225M institutional fundraise, $65B+ in processed transactions, and active integration with BlackRock, Circle, and Uniswap — consistent with CAUTIONARY (score 62), which appropriately preserves a permanent caveat for the protocol's bridge security history while reflecting that the incident is resolved and the entity is legitimate.","score_delta":28,"sequence_num":5,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision c9deb412-6742-4fe3-b68a-0fe66b10961a
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.