A Hack for the (Digital) Ages: Assessing Wormhole’s Communications Response Following $320 Million Breach

By Nate Johnson

Managing Director and Head of the Blockchain, Digital Assets, and Fintech Practice

If last week’s $320 million Wormhole hack had been a brick-and-mortar bank robbery, it would have ranked among the largest in history. But in the realm of cryptocurrency and decentralized finance (DeFi), the Wormhole hack clocks in as only the fourth-largest digital asset heist of the past 10 years—and events like these are only becoming more frequent.

As crypto adoption increases, DeFi protocols in particular are likely to be increasingly targeted by attacks like these. Should such a hack occur, these protocols must be prepared to not only act quickly to address any underlying platform vulnerabilities, but also to communicate quickly, clearly and effectively about the situation with all relevant audiences. With that in mind, the following includes some best practices for communicating during and after a hack, as well as an assessment of  the effectiveness of Wormhole’s response.

Hack Communications Best Practices

Immediately following a hack, the most important questions to answer are typically:

• What is the impact to users?

• What has been (or is being) done to mitigate the issue? When will a fix be live?

• If funds were stolen, what efforts are being undertaken to recoup them or otherwise make users whole?

• What, if any, action is required by users to protect themselves from further harm.

If any of these questions requires additional time to answer, it is important to be clear and honest in initial communications about what is and is not known – with a commitment to getting to the bottom of the issue and providing more information as it becomes available.

 It is also important to communicate consistently across all key communications channels, which in crypto can include (among others):

• Twitter

• Reddit

• Discord

• Telegram

• Corporate/project blog

Another important constituent is the media. It is important to be in contact with relevant reporters who may report on the incident to ensure they have appropriate context and a statement regarding the status of response efforts and commitment to rectifying the situation.

As progress is made and answers are identified, companies should continue to provide updates across their regular channels in a timely manner (as appropriate).

Once the vulnerability that led to the hack has been addressed, it is also a best practice to publish a detailed post-mortem, outlining how the hack occurred, what was done to fix it, and most importantly, the new measures being taken to prevent similar issues from occurring in the future.

What Wormhole Did Right

Overall, Wormhole’s response to the hack was effective. When the incident occurred, they communicated quickly via Twitter – not jumping to provide answers before they had them, but rather acknowledging that they were aware of the situation and would be sharing more information shortly.

Then, as they had more information, they provided answers to several of the critical questions detailed above: 

The Wormhole team was also active in the Wormhole Discord chat room as the situation unfolded, providing information to users and answering questions.

After patching the vulnerability, the company also posted a detailed and articulate post-mortem on Twitter and Medium outlining what had occurred, what steps were taken to rectify the situation, and the measures put in place to prevent similar future attacks.

What Wormhole Could Have Done Better

For everything they did right, there were a number of areas in which Wormhole’s response could have been improved.

Perhaps their biggest misstep was the asymmetrical manner in which they communicated updates on the situation to their users. For example, on Twitter, the Wormhole team shared only four updates throughout the incident, while in the project’s Discord, the team was providing deeper insights into what was occurring and answering some user questions directly.

The team also neglected some communications channels altogether, including Reddit – a platform on which the majority of public chatter about the hack was occurring, much of which was negative.

It is critical that projects communicate with the same information and level of detail across all channels, as not all users interact with all platforms. If a response team is stretched thin and can effectively manage only one channel, it is important that 1) the channel be the most publicly visible and frequently-used (typically Twitter, given that Discord and similar chat room platforms are typically harder to access), and 2) users across all platforms are made aware of the channel that will be used as the primary communications hub. To their credit, the Wormhole team did attempt to make clear in repeated Discord messages that Twitter would be its primary source of updates regarding the hack, but it still intermittently provided additional information in the Discord – sending mixed messages to users.

Additionally, the Wormhole team did not appear to have spoken to or provided a statement to any media covering the hack, which meant that the narrative was controlled entirely by the reporters and the third-party commentators they chose to include in their stories.

Protecting Yourself

Organizations operating primarily on the blockchain or otherwise that hope to minimize reputational damage from a hack should have a clear, standardized playbook in place for identifying the answers to the key questions above and determining when, where, and how they are communicated.