Hack Track: Analysis of Wormhole Token Bridge Exploit

On February 2, 2022, the Wormhole Token Bridge, suffered an exploit, which resulted in the loss of 120,000 Wrapped Ether (wETH) tokens worth over $320 million at the time. Wormhole is a popular cross-chain bridge that links Ethereum and Solana blockchain.

This is the largest crypto exploit of 2022 so far and the second-largest decentralized finance (DeFi) attack to date. The attack happened amidst a rapid increase in hacking incidents suffered by DeFi platforms. In fact, according to a report by CertiK, which is a leading security-landing platform, the amount of money lost in the hack of DeFi projects more than doubled to $1.3 billion in 2021.

Of late, the attacks on bridge platforms are on the rise. The news of the Wormhole exploit comes shortly after the Quibit Finance attack, wherein the attacker took advantage of a logical error in Qubit’s smart contract to input malicious data to steal $80 million worth of cryptocurrency. Bridges between chains are often more susceptible to exploits as they require more interactions and contract approvals than the other

What happened?

Essentially, the attacker bypassed the verification process of the Wormhole bridge on Solana by injecting a spoofed syvsar and successfully generating a malicious message that “specified for 120,000 wETH” to be minted.

Kudelski Security — a leading provider of comprehensive cybersecurity solutions — published a report analysing the exploit.

In order to understand the hack, it is important to understand how the Wormhole bridge works. According to the report, tokens created on each chain, for instance, ERC20 on Ethereum and SPL tokens on Solana are managed separately by a smart contract. The Wormhole’s Guardians network signs of the transfers between the chains — basically before a token on one chain is transferred to another chain, the Guardians ensure that the minted tokens are correctly generated by verifying their signature on the secp256k1 curve.Secp256k1 is the name of the elliptic curve used by Bitcoin to implement its public-key cryptography.

Further, in the Solana blockchain, the instruction_sysvar account contains all instructions related to the transaction that is being processed, allowing program instructions to reference other instructions in the same transaction. Kudelski Security states that “For Wormbridge, the verify_signatures function is called priorly to get the signed signature_set for the function post_vaa.” This essentially means that the Wormhole program uses the sysvar program to obtain a set of signatures from the prior instructions.

According to Kudelski’s Security’s analysis, during the exploit, the verify_signatures function used the load_instruction_at function. The load_instruction_at function is used to output an instruction that is derived from the input data, which is the data of the instruction sysvar account. The problem with the load_instruction_at function is that it does not check if the input sysvar program account is the real sysvar account. Therefore, the validity of the instruction svyar program was never verified. Taking advantage of this, the attacker created a fake sysvar account with fake data.

Since the attacker also spoofed the signatures with previously valid transferred tokens. All the signatures in the signature_set were marked as true, which means that the spoofed signatures were considered valid. The report explains that as soon as the signature_set is created, the function post_vaa checks if it has enough signatures to reach the consensus to post a Validator Action Approval (VAA). Since the attacker had a valid VAA, he triggered an unauthorized minted 120,000 wETH to his own account.

Post the attack, the Wormhole team assured its users that Wormhole’s ETH supply would be replenished to ensure wETH is backed 1:1. Soon after the attack, the Wormhole team also offered the hacker a $10 million bounty to return the funds, which was embedded as text in a transaction sent to the attacker’s Ethereum wallet address. On February 3, 2021, Jump crypto, a venture capital firm that owns Certus One, the firm, which is the developer of Wormhole, announced that it had deposited 120 thousand ETH into the affected Solana-Ethereum to replenish the losses.

Merkle Science has blacklisted the wallet addresses involved in the Wormhole exploit

Merkle Science’s on-chain analysis

According to Merkle Science’s on-chan analysis, the attackers fraudulently minted 120,000 wETH worth over $320 million from the Wormhole Bridge on Solana blockchain without putting up the corresponding ETH as collateral. Just before the exploit, the attacker received 0.9 ETH from Tornado Cash, a popular coin mixing service. The attacker may have planned to use 0.9 ETH to conduct a contract call. A contract call is where a user requests a specific function from a smart contract that, unlike a transaction, doesn't publish anything on the blockchain. 0.1 ETH out of 0.9 ETH was transferred to a wallet address associated with a prominent exchange.

Firstly, 93,750 ETH ($275 million) was moved from Solana to the Ethereum blockchain using the Wormhole bridge. Then from the Ethereum blockchain it was transferred to the following ETH address: 0x629e7da20197a5429d30da36e77d06cdf796b71a. This is the wallet address of the attacker.

Out of the 120,000 minted wETH, the attacker converted $80,000 worth of wETH from Wormhole bridge back to ETH using the wETH smart contract. These ETH funds haven’t moved out of the attacker’s wallet 0x629e7da20197a5429d30da36e77d06cdf796b yet.The remaining 26,249 ETH on Solana blockchain has been moved to a Solana wallet address.