Wormhole Hack: Code Vulnerability Has Led to $325 Million Stolen

Summary

On February 3, 2022, a security breach occurred on Wormhole, a DeFi platform designed to facilitate the transfer of tokens and NFTs across various blockchains such as Ethereum, Solana, and Binance Smart Chain. The attacker successfully exploited a vulnerability by utilizing a spoofed sysvar account, enabling them to mint 120,000 wrapped ETH (wETH) tokens on the Solana network. These tokens were later deemed invalid. Subsequently, the attacker redeemed 93,750 wETH tokens for an equivalent value of ETH tokens on the Ethereum network. Additionally, the remaining invalid tokens were exchanged for USDC and SOL tokens, as indicated in the Certic incident analysis report. As a result of the breach, the Solana cryptocurrency experienced a 10% decline in value, according to Forbes. Despite concerns of a potential collapse and devaluation of wETH, Jump Trading, the parent company of Wormhole and a significant participant in the Solana ecosystem, intervened by providing replacement Ether for the stolen funds. Notably, attempts to negotiate with the hacker by offering a $10 million bounty in exchange for the return of the stolen funds were unsuccessful.

Attackers

The identities of the attackers involved in the incident remain unknown. The hacker’s account: CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka and wallet: 0x629e7Da20197a5429d30da36E77d06CdF796b71A.

Losses

The attacker orchestrated a significant theft by minting 120,000 wETH, which represented approximately $325 million in value at the time of the incident. This incident stands as the largest attack ever witnessed on the Solana blockchain.

On February 21, 2023, Jump Crypto, the cryptocurrency division of Jump Trading, joined forces with Oasis to successfully recover a portion of the stolen funds. Through a counter-exploit strategy, they leveraged the Oasis contract to gain control over the perpetrator’s vaults. As a result, approximately $140 million was retrieved. This remarkable intervention was made possible by obtaining a court order from the High Court of England and Wales, which compelled Oasis to retrieve the assets associated with the wallet address involved in the Wormhole exploit.

Timeline:

  • February 2, 2022, 8:15 PM: Following the attack, Wormhole reached out to the hacker with a whitehat agreement, offering a $10 million bounty through a transaction message. However, the hacker did not respond.
  • February 3, 2022, 2:42 AM: Wormhole announced on Twitter that they were undergoing “maintenance” while investigating the exploit.
  • February 3, 2022, 4:25 AM: The official Wormhole Twitter account confirmed the security breach and the specific amount stolen, which totaled 120,000 wETH.
  • February 3, 2022, 6:41 AM: In a subsequent tweet, Wormhole announced that the vulnerability had been patched, resolving the issue.
  • February 21, 2023: Jump Crypto, the parent company of Wormhole, successfully retrieved $140 million through a counter-exploit, gaining control over the perpetrator’s vaults.

Security Failure Causes

The hack was attributed to a bug in the signature verification code, which the intruder potentially discovered by examining the commit history in Wormhole’s Github repository. This flaw allowed the attacker to circumvent the signature verification process as it failed to properly validate whether the verification came from a whitelisted address. Unfortunately, the team was unable to deploy the updated version in time to prevent the attack, enabling the attacker to substitute their own program address for the system address and bypass the signature verification mechanism.