Wormhole Blockchain Bridge Exploited for Over $300 Million

Blockchain & Cryptocurrency
,
Breach Notification
,
Cryptocurrency Fraud

DeFi Platform Patches Vulnerability, Says ‘Funds Are Safe’

Screenshot of the Wormhole portal’s landing page (Source: portalbridge.com).

The Wormhole network, a token bridge that allows users to trade multiple cryptocurrencies without a centralized exchange, has been exploited for 120,000 wETH tokens (or $321 million), the company acknowledged via Twitter. The company also says it has issued a fix for the flaw, and is working to “get the network back up as soon as possible”.

See Also: Gone Phishing: Strategic Defense Against Persistent Phishing Tactics


Wormhole also tweeted that “ETH will be added over the next hours to ensure wETH is backed 1:1.”

Wrapped ETH, or wETH, refers to an ERC-20 compatible version of ether. To exchange ETH with other Ethereum-based tokens, it needs to be wrapped into wETH. The value of ETH and WETH are the same.

Its portal, at the time this story was posted, showed that its team was “actively working to get portal back up and running. A fix has been deployed and all funds are safe.”

A company spokesperson did not immediately respond to Information Security Media Group’s request for additional details about the incident.

The incident comes months after a massive DeFi attack that cost blockchain-based Poly Network platform more than $600 million in cryptocurrency (see: Poly Network Says $600 Million in Cryptocurrency Stolen).

Attack Details

The Wormhole incident is the largest attack to date on the Solana ecosystem, according to blockchain security firm CertiK.

“Preliminary analysis indicates that the attacker exploited a mint function on the Solana side of the Wormhole bridge to create 120,000 wETH for themselves, then used these minted tokens to claim ETH that was held on the Ethereum side of the bridge,” a spokesperson for CertiK, requesting anonymity, tells ISMG.

Certik’s analysis, the company executive says, shows that the attacker has gained 93,750 ETH ($251 million), 432,662 SOL ($46.6 million), and 4.14 million USDC, a stablecoin ($4.14 million), for a total of $302,495,717.

“Wormhole’s bridge allowed users to convert their Ethereum-native ETH to Solana-compatible wETH (Wormhole Ether). The bridge held a 1:1 ratio of ETH to wETH, acting essentially as an escrow service,” CertiK says.

“Its popularity meant that it had become the dominant bridge between Solana and Ethereum, and as such was responsible for a large proportion of all wrapped Ether on the Solana blockchain. This exploit breaks the 1:1 peg, as there is now at least 93,750 less ETH held as collateral. If this ratio is not regained, DeFi on Solana is potentially at risk of a mass liquidation event,” the spokesperson adds.

As users engage more and more with the multi-chain world, services that link blockchains will only become more important, the spokesperson says. “This exploit highlights the catastrophic losses that can occur when critical infrastructure fails. The effects of Wormhole’s exploit on the collateralization of Solana DeFi is of particular note, both in the immediate short term and going forward,” CertiK says.

Attack Analysis

Twitter user @samczsun, who says he is a research partner at crypto and web3 investment firm Paradigm, explains how the attackers likely exploited the network.

“Ethereum, or Solana? A quick check of the encoded VM that the attacker submitted showed that it contained valid signatures from the guardians. This meant that either they got the private keys, or they exploited the bridge,” samczsun says.

Investigating previous transactions and checking Wormhole’s Github, the researcher says they determined that attackers likely took the latter route. But to execute a function that would have allowed them to call a function to obtain the 120,000 ETH, they needed a valid VAA.

“How did the attacker generate a VAA account that the bridge would accept? When we checked the VAA account that the attacker used, we found that it had been created in an even earlier transaction,” samczsun says. However, for a particular transaction, the attacker called post_vaa on the main Wormhole bridge.

“We needed to figure out how the attacker managed to bypass the signature checks that post_vaa performs. Well, the attacker provided a SignatureSet, which was created in yet another transaction. This one called verify_signatures on the main bridge. The verify_signatures function is meant to take a set of signatures provided by the guardians and pack it into a SignatureSet. But it doesn’t actually do any of the verification itself. Instead, it delegates that to the Secp256k1 program,” samczsun says.

This, the researcher says, is where the problem lies. “The solana_program::sysvar::instructions mod is meant to be used with the instructions sysvar, a sort of precompile on Solana. However, the version of solana_program that Wormhole used didn’t verify the address being used. This meant that you could create your own account which stored the same data that the Instructions sysvar would have stored, and substituted that account for the Instruction sysvar in the call to verify_signatures. This would essentially bypass signature validation entirely,” samczsun says.

“Hours earlier, they created this account which contained a single serialized instruction corresponding to a call to the Secp256k1 contract. Then they passed in that account as the Instruction sysvar. Once they had the fake SignatureSet, it was trivial to use it to generate a valid VAA and trigger an unauthorized mint to their own account. The rest is history,” the researcher says.

They add: “tl;dr – Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.”

Popular Target

Cryptocurrency exchanges remain the soft underbelly of cryptocurrency and it’s not uncommon for them to be robbed, says John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich.

“In the absence of any central authority, there isn’t much that exchanges can do if they are compromised except to watch and track the funds as they walk out the door. The only good news is that it’ll be hard for the thieves to liquidate those assets into hard currency without leaving fingerprints that can lead to their identification,” Bambenek tells ISMG.

The recent string of cryptocurrency breaches is evidence that people who build into a quickly evolving market are more likely to take shortcuts, says Casey Ellis, founder and CTO of crowdsourced bug bounty platform Bugcrowd.

“Web 3.0 is built on the fundamentals of transparency and distributed accountability. Exposure of vulnerabilities in the organizations who are coordinating this is a part of the deal they signed on to. I feel that we’re only in the early stages of understanding what the implications of that look like,” Ellis tells ISMG.