Down the Rabbit Hole of the Wormhole Hack
$323 million was stolen by hackers. This is the fourth-biggest crypto theft ever. What is Wormhole and how did this happen?
Wormhole is an infrastructure protocol on the Solana blockchain. On top of it Portal is built, a bridge that allows its users to wrap tokens and issue the same token on a different layer-1 blockchain. When you wrap a token, you lock it up in a smart contract and that smart contract issues the wrapped version of that token on another blockchain. Portal is built to be the bridge between Solana and other protocols such as Ethereum, Avalanche, and Terra.
How did the hack happen?
The hacker was able to mint 120,000 Wormhole-wrapped ETH (weETH) on the Solana blockchain and later used the Portal bridge to bring 93,750 of those to the Ethereum blockchain.
Normally, when you want to bridge your token to a different blockchain, you need to deposit the token first. The hacker didn’t do that. They used a vulnerability in the code to authorize the minting transaction to take place without a deposit.
Wormhole uses Guardians to create “Transfer Messages”, these are commands by the protocol that says which token to mint and how much of it. There are a total of 19 Guardians and ⅔ of them need to sign a Transfer Message as authentic for it to be approved.
A Transfer Message is created by calling a function called “post_vaa”. This function calls on “verify_signatures”, a function that verifies that the signatures are actually from the guardians and not another source. The “verify_signatures” function uses a Solana-based program, called ‘Secp256k1’ as an input for its execution.
The hacker exchanged this program for a self-written program that provided the function with positive feedback about the signatures of the guardians being authentic. The “verify_signatures” function accepted the input from this self-written program and accepted the transaction. The hacker provided proof for the Wormhole protocol that the program has signed off on the 120k deposit.
The final step was the actual withdrawal of the ETH onto the Ethereum blockchain. This happened shortly after and the funds were gone. The hacker walked away with $323 million worth of ETH.
The Wormhole team directly issued a Twitter statement stating that “The wormhole network is down for maintenance as we look into a potential exploit.” About 16 hours later the issue was fixed and the protocol was back fully operational.
Jump Crypto, a research-driven quantitative trading firm and contributor to the development of crypto infrastructure, decided to step in and provide the $323 million worth of ETH to the Wormhole protocol to assure continuity of the project.
The incredible thing is that a fix for this vulnerability was proposed in Github a few weeks prior. However, it was not implemented on time. This shows one of the vulnerabilities of open-source development. The Wormhole team also responded to this and argued that the proposed solution a few weeks prior was just a coincidence and not aimed at solving the vulnerability that was exposed during the hack.
The future of Wormhole
Wormhole continues to be used and has recovered from its hack from a usage perspective. They have announced that it will give a $10 million bounty for the person who reveals the hacker and returns the funds.
Prior to the launch of the Wormhole protocol in mid-2021, the code was reviewed by Neodyme — a prestigious auditing firm in the Solana ecosystem. The report of that audit was published in January 2022.
Wormhole has also announced that Kudelski is currently working on an audit, Neodyme will continue with ongoing audits and that Trial of Bits has been contracted to do another two audits later this year.
Lossless is the world’s first DeFi hack mitigation tool for token creators. Apart from our known cyber security solutions and renowned professionals, the community also plays a role. With a tangible reward system, community members are also encouraged to explore new ways to detect hacks and fraudulent transactions.
Our protocol halts counterfeit transactions through various methods of fraud identification and automatically reverses any stolen tokens back to the original owner. Our solutions to the impending problems of cyber theft within the blockchain space are thorough and applicable within many protocols.