Wormhole exploit: the second-largest DeFi hack ever

2nd place on the Rekt Database

The first half of February seems dramatic for the entire DeFi space. According to our native and several external sources, the Wormhole case is now the second-largest exploit within DeFi in terms of funds lost. Thereto, it is the second bridge hack after Meter.io was exploited and as a result, affected Hundred Finance on Moonriver, when regular users could use oversold BNB.bsc collateral asset by Meter hacker to drain funds from the lending protocol.

The root of vulnerability

The wormhole network was exploited for 120k wETH.

ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.

We are working to get the network back up quickly. Thanks for your patience.

— Wormhole🌪 (@wormholecrypto) February 2, 2022

The attack was caused by a weakness in the signature verification function of the main Wormhole contract on Solana. Because of this issue, the attacker was able to fabricate a message from the Guardians (which verify transfers between chains) in order to mint Wormhole-wrapped Ether.

Before minting Wormhole-wrapped tokens on Solana, Portal’s token minting software employs the verify signatures function to validate the source chain message. This procedure is dependent on information in the instruction sysvar account, which is trusted since it is filled by the Solana runtime.

When invoking a Solana function, users can provide any number of input accounts. Each program is responsible for ensuring that the accounts given are the ones they anticipated.

An attacker might create an account and fill it with data to impersonate the instruction sysvar account. This bogus instruction sysvar may then be sent to Wormhole’s verify signatures function, fooling it into believing the signatures had been correctly validated. An attacker might sign any arbitrary Wormhole message with Solana as the target chain, including messages to mint wrapped Wormhole tokens on Solana.

The hacker’s on-chain steps

Addresses involved in exploit

Ethereum:

https://etherscan.io/address/0x629e7da20197a5429d30da36e77d06cdf796b71a

Solana:

https://solscan.io/account/CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka

The attacker:

1. Bypassed Wormhole’s Guardians and called ‘verify_signatures’ on the main bridge using a SignatureSet created at this transaction.
2. The ‘verify_signatures’ function provided the verification of the ‘SignatureSet’ to the Secp256k1 program. ‘solana_program::sysvar::instructions’ and the ‘solana_program’ contained disparity, because of this, the contract didn’t verify the requested address.
3. The attacker faked the ‘SignatureSet’ and call ‘complete_wrapped’ to mint 120k whETH on Solana using previously created VAA verification.
4. 93,750 ETH was bridged back to Ethereum at:

https://etherscan.io/tx/0x4d5201dd4a377f20e61fb8f42e6f929ec16bcec918f0584e39241d15b254a80f

https://etherscan.io/tx/0xd31b155e259a403ebe69831fae0ec2b4bd33dfa090c43b605a57d5c72c4fbbc7

https://etherscan.io/tx/0xacd309b02e4b533484d148de9ab0adf367ed4e70ed751d1ff036152dc3bc0479

Stolen funds are still in the exploiter’s wallets, 93,750 ETH on Ethereum and 432,661 SOL on Solana

Aftermath

1/2

All funds have been restored and Wormhole is back up.

We’re deeply grateful for your support and thank you for your patience.

— Wormhole🌪 (@wormholecrypto) February 3, 2022

Stolen funds have been restored by Wormhole to ensure a 1:1 token backing ratio.

Wormhole team contacted attacker via transaction, offering $10m bug bounty for the exploit details and returning stolen funds:

https://etherscan.io/tx/0x2d8b7901bff18ae6abe1a50aebe44b70559f39ff357b21340843d368b9486859

In addition, Wormhole announced that they offer a $10m reward for any information leading to the arrest and conviction of those responsible for the hack of the bridge on February 2

A $10,000,000 bug bounty for exploit details and a whitehat agreement is offered to the hackers in exchange for returning all funds. You can reach out to bounty@wormholenetwork.com

7/

— Wormhole🌪 (@wormholecrypto) February 4, 2022

As always, stay safe and DYOR!

For more De.Fi updates you can visit us at Website https://de.fi/ 📱 Telegram https://t.me/de.fi 🐦Twitter https://twitter.com/DeDotFi

Check our guides:

Tezos Ultimate Yield Farming Guide [Infographics]
Solana Network Ultimate Yield Farming Guide [Infographics]
Fantom Network Ultimate Yield Farming Guide [Infographics]
Huobi ECO Chain Ultimate Guide for Yield Farming
Polygon Network Ultimate Guide for Yield Farming
Binance Chain Ultimate Guide for Yield Farming
EOS Ultimate Yield Farming Guide
Arbitrum Ultimate Guide [Infographics]
The Ultimate Yield Farming Guide For Terra Blockchain (Luna) [Infographics]
The Ultimate Guide to Avalanche Network
Ultimate Guide to Yield Farming on Harmony (with infographics)
Ultimate Guide to Tron Network [Infographics]
The Ultimate Yield Farming Guide For Moonriver Network
The Ultimate Yield Farming Guide For Celo
The Ultimate Yield Farming Guide For KuCoin Community Chain
The Ultimate Yield Farming  Guide For NEAR Protocol

And join us on twitter and telegram!

Good luck in farming!