- Yesterday’s hack of the Wormhole bridging protocol was the result of a code exploit
- The hacker made Wormhole think that its mass wETH minting had been authorized by Solana blockchain guardians
- 120,000 wETH worth $320 million was minted, with 93,750 moved back to the Ethereum blockchain
Yesterday’s huge attack on the Wormhole bridging platform exploited a deficiency in the protocol’s code that allowed a hacker to trick it into thinking that they had been authorized to mint 120,000 wrapped ETH (wETH). Blockchain sleuths figured out how the hacker had gone about manipulating the Wormhole smart contract and posted their theories on Twitter, with all coming to the same conclusion – Wormhole’s code was not up to scratch.
Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here’s how it happened.
— smartcontracts (@kelvinfichter) February 3, 2022
Wormhole Hacker Exploited Signature Verification
Investigations revealed that the attacker managed to hoodwink the Wormhole contract into believing that they had authorisation from the Solana blockchain guardians to mint the wETH. This was achieved by dint of a ‘fake’ system program which allowed them to effectively lie about the fact that the signature check program was executed, when in fact the signatures weren’t being matched at all.
The hacker used the exploit to mint 120,000 wETH, moving 93,750 back to the Ethereum blockchain, presumably in advance of washing it through Tornado cash or an equivalent.
In the immediate aftermath of the hack Wormhole offered a $10 million bounty for the attacker should they return the wETH, an offer which is yet to be accepted 18 hours later.
In truth, accepting $10 million when you could just launder $230 million worth of wETH is hardly a tempting proposition.
Vitalik Buterin Warned About Bridging Protocols
The hack comes just weeks after Ethereum creator Vitalik Buterin warned on a Reddit AMA of the safety of bridging protocols:
The fundamental security limits of bridges are actually a key reason why while I am optimistic about a multi-chain blockchain ecosystem (there really are a few separate communities with different values and it’s better for them to live separately than all fight over influence on the same thing), I am pessimistic about cross-chain applications.
Sadly, Buterin has been proved right through one of the biggest DeFi hacks of all time.