TL;DR

On February 02, 2022 at 5:58 PM +UTC, a malicious actor launched multiple attacks aiming to bypass the verification process of the Wormhole bridge on Solana. The attacker carried out the second-largest crypto theft from a DeFi protocol ever, which resulted in the loss of roughly 120,000 Wormhole Ethereum (WeETH) worth over $320M.

Event Summary

On February 02, 2022, prior to the attack, the hacker received 0.94 ETH from Tornado Cash, an Ethereum-based mixer, which was used to pay for gas fees on the transactions immediately following the initial hack. The threat actor also sent 0.1 ETH to a deposit address at a large, international exchange.

During the attack, the hacker bypassed the verification step by injecting a fake sysvar account and successfully generated a malicious “message” that specified for 120,000 wETH to be minted. By invoking the “complete_wrapped” function with the malicious “message”, the attacker successfully minted 120,000 wETH. Two minutes after the minting, the exploiter bridged 10,000 ETH to the Ethereum blockchain and another 80,000 ETH transaction occurred on the Ethereum blockchain about 20 minutes later. To this day, the funds are still sitting in the attacker’s wallets including: Account CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka and 0x629… being the ones with the largest amounts amongst others.

Wormhole announced on their Twitter account that they had noticed an exploit on the day of the attack. On February 03, 2022, Jump Trading, Wormhole’s parent company, stepped in and posted on their Twitter account that they supplied Ether to replace what was stolen after attempts to pay the hacker a bounty of $10 million in return for the stolen funds were ignored. On February 08, 2022 Solana released a postmortem that can be found here: Solana’s Wormhole Hack Post-Mortem Analysis.

Security Issues With Cross-Chain DeFi Bridges

Individuals can’t simply move their assets from one blockchain to another; instead, they have to use a cross-chain bridge to achieve this. Cross-chain bridges work by an individual investor depositing their tokens on one chain, and receiving a debt token on the other chain. Once an individual burns their debt token on one chain, the deposit is released on the other chain.

To achieve this, cross-chain bridges combine multiple structures such as custodian, debt issuer, and an oracle. This makes cross-chain bridges somewhat vulnerable as there are multiple attack avenues for would-be hackers to exploit.

As well as Wormhole Bridge exploit, there have been highly profitable cross-chain bridge attacks including Harmony. In this case, the exploiter was able to control a MultiSig Wallet to approve a transfer 13,100 ETH to the exploiters address. The detailed analysis on the Harmony incident can be found here: Harmony Incident Analysis - Blog - CertiK Security Leaderboard

An earlier attack against Qubit is also an example of a cross-chain bridge exploit. Qubit was hacked for $80 million on January 27, 2022. In this exploit, the attacker called in the QBridge contract without any ETH attached in this transaction. The hacker abused the functions of the QBridge contract and faked an ETH event with an ERC20 event. Faking the ETH event enabled the malicious actor to pass the validation in the QBridgeHandler and mint around 77,162 qxETH in the crossed chain.

The Wormhole Bridge exploit is the second biggest attack after the Ronin exploit which was allegedly committed by North Korean Lazarus Group. At the end of March, Ronin, an ETH sidechain built for the nonfungible token game named Axie Infinity, was hacked for over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) for over $600 million. The company officially reported that the hackers managed to get access to private keys to validator nodes resulting in the compromise of five validator nodes. The Ronin chain consisted of nine validator nodes and the hackers managed to get access to four of them along with a third-party validator run by decentralized autonomous organization Axie DAO.

Attack Technical Analysis

1. The attacker invoked the “verify_signatures” function with a spoofed sysvar account:

Solana transaction details | Solscan

a) The fake “verify_signatures” function with a malicious “sysvar account”:

In contrast, the following snapshot is a correct “verify_signatures” function with the correct “sysvar account”:

b) The "verify_signatures" function loads the current instructions from sysvar (L92).

c) However, the function “load_current_index” does not validate whether the injected ”sysvar account“ is actually the “system sysvar”. As the current instruction (L92) retrieved from ”sysvar“ is controlled by the attacker, it will succeed in the following verification process.

2. The attacker then invoked the “post_vaa” function with the verified signatures from the previous step and created a malicious message account stating 120,000 wETH to be minted: Solana transaction details | Solscan

a) Account2 is the signature set generated by the “verify_signatures” instruction.

b) Account3 is the message account that will be used in the following “complete_wrapped” function.

3. The attacker invoked the “complete_wrapped” function that reads the data in the malicious message account and mints the 120,000 wETH: Solana transaction details | Solscan

a)Account3 is the message account generated by the “post_vaa” function.

b) Account6 is the “to” address to receive the minted Wormhole ETH.

c) Account9 is the mint authority for Wormhole ETH and is a PDA (program-derived-address). This is why after signature verification is passed, the attacker can mint tokens directly.

4. Part of the minted wETH is transferred to Ethereum. The rest were swapped to USDC and SOL:

Solana transaction details | Solscan

Solana transaction details | Solscan

Solana transaction details | Solscan

Solana transaction details | Solscan

Contract Vulnerability Analysis

The root cause of this exploit is that in the verification process (“verify_signatures”), the program used a deprecated function “load_current_index”. This function does not verify that the inputted ”sysvar account” is actually the “system sysvar”, allowing an attacker to falsify this critical account.

Profit and assets tracing

Attacker accounts holding assets

432,662.14 SOL ($46,649,632.46) 46.6M 432659.84 Sol

Account CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka

93,750 Ether ($251,703,522.57) 251M

https://etherscan.io/address/0x629e7da20197a5429d30da36e77d06cdf796b71a

251M + 46.6M = 297.6M

1444.16 USDC sent to DiLuXdZ5TbQ1jUNEF6tNstHNqXJ3mTCrsVrM6DeX18Mh

Solana transaction details | Solscan

16879.39 ETH to 269,356.66 SOL

Solana transaction details | Solscan

1866ETH to 4.9M USDC

Solana transaction details | Solscan

7504 ETH to 18M USDC

Solana transaction details | Solscan

18,044,852.11 USDC to 122,049 SOL

Solana transaction details | Solscan

Attacker accounts on Solana:

The account which minted 120,000 Ether (Wormhole): Account 2SDN4vEJdCdW3pGyhx2km9gB3LeHzMGLrG2j4uVNZfrx

The account which created the above account: Account CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka

Source of the first tx fees:

The account which transferred SOL to the attacker account: Account 2ojv9BAiHUrvsm9gxDe7fJSzbNZSJcxZvf8dqmWGHG8S

Transaction of transferring SOL to the attacker account: Solana transaction details | Solscan

Conclusion:

Overall, the Wormhole bridge exploit came from a failure to validate "guardian" accounts, resulting in the attacker being able to mint 120,000 wETH with no ETH backing it. DeFi protocols and cross-chain bridges are critical infrastructure in the crypto ecosystem, and successful attacks have long-lasting and severe impacts. Incidents such as the Wormhole bridge attack demonstrate just how devastating cross-chain bridge exploits can be, and how important it is to secure all avenues of attack. To prevent such an issue occurring in the future, it is mandatory to check and verify all accounts a function uses. This is especially true in this case where part of the verification process was placed on an external function.