Wormhole Hack: Code Vulnerability Has Led to $325 Million Stolen

February 2, 2022

Summary #

On February 3, 2022, a security breach occurred on Wormhole, a DeFi platform designed to facilitate the transfer of tokens and NFTs across various blockchains such as Ethereum, Solana, and Binance Smart Chain. The attacker successfully exploited a vulnerability by utilizing a spoofed sysvar account, enabling them to mint 120,000 wrapped ETH (wETH) tokens on the Solana network. These tokens were later deemed invalid. Subsequently, the attacker redeemed 93,750 wETH tokens for an equivalent value of ETH tokens on the Ethereum network. Additionally, the remaining invalid tokens were exchanged for USDC and SOL tokens, as indicated in the Certic incident analysis report. As a result of the breach, the Solana cryptocurrency experienced a 10% decline in value, according to Forbes. Despite concerns of a potential collapse and devaluation of wETH, Jump Trading, the parent company of Wormhole and a significant participant in the Solana ecosystem, intervened by providing replacement Ether for the stolen funds. Notably, attempts to negotiate with the hacker by offering a $10 million bounty in exchange for the return of the stolen funds were unsuccessful.

Attackers #

The identities of the attackers involved in the incident remain unknown. The hacker’s account: CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka and wallet: 0x629e7Da20197a5429d30da36E77d06CdF796b71A.

Losses #

The attacker orchestrated a significant theft by minting 120,000 wETH, which represented approximately $325 million in value at the time of the incident. This incident stands as the largest attack ever witnessed on the Solana blockchain.

On February 21, 2023, Jump Crypto, the cryptocurrency division of Jump Trading, joined forces with Oasis to successfully recover a portion of the stolen funds. Through a counter-exploit strategy, they leveraged the Oasis contract to gain control over the perpetrator’s vaults. As a result, approximately $140 million was retrieved. This remarkable intervention was made possible by obtaining a court order from the High Court of England and Wales, which compelled Oasis to retrieve the assets associated with the wallet address involved in the Wormhole exploit.

Timeline: #

February 2, 2022, 8:15 PM: Following the attack, Wormhole reached out to the hacker with a whitehat agreement, offering a $10 million bounty through a transaction message. However, the hacker did not respond.
February 3, 2022, 2:42 AM: Wormhole announced on Twitter that they were undergoing “maintenance” while investigating the exploit.
February 3, 2022, 4:25 AM: The official Wormhole Twitter account confirmed the security breach and the specific amount stolen, which totaled 120,000 wETH.
February 3, 2022, 6:41 AM: In a subsequent tweet, Wormhole announced that the vulnerability had been patched, resolving the issue.
February 21, 2023: Jump Crypto, the parent company of Wormhole, successfully retrieved $140 million through a counter-exploit, gaining control over the perpetrator’s vaults.

Security Failure Causes #

The hack was attributed to a bug in the signature verification code, which the intruder potentially discovered by examining the commit history in Wormhole’s Github repository. This flaw allowed the attacker to circumvent the signature verification process as it failed to properly validate whether the verification came from a whitelisted address. Unfortunately, the team was unable to deploy the updated version in time to prevent the attack, enabling the attacker to substitute their own program address for the system address and bypass the signature verification mechanism.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam