$321 942 000 USD

FEBRUARY 2022

GLOBAL

WORMHOLE NETWORK

DESCRIPTION OF EVENTS

"The best of blockchains. Move information and value anywhere." "Wormhole is a generic message passing protocol that connects to multiple chains including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis." "The foundation that an ecosystem of apps is built on top of." "Apps can now live across chains at once and integrate the best of each."

 

"Wormhole SDK integrates your project with our generic messaging layer. Wormhole SDK makes it easier than ever for teams, apps, protocols, and users to move value seamlessly across networks without fees." "Six high-value networks, two centralized exchanges, and 19 dexes. Anyone in the community can add new networks to the protocol and build the future of blockchain."

 

"Wormhole is built to be trust-minimized from the ground up with a group of six networks secured by 19 equally weighted guardians in the core layer." "Send your message to Wormhole. The Guardian network observes the transaction. Quorum is achieved in seconds. Guardians make your attested message publicly available. Access your message on a different chain."

 

"Wormhole is a decentralized, cross-chain message passing protocol. It enables applications to send messages from one chain to another. The network is operated by a decentralized group of nineteen Guardians who sign each transmitted message to attest to its authenticity. The protocol uses a multi-party signature system where a message is treated as authentic if ⅔+ of the Guardians have signed it."

 

"Portal is a token bridge constructed on top of the Wormhole network. Portal enables users to deposit funds into a contract on a source chain, then mint a Wormhole-wrapped version of the token on a destination chain. The minting function requires a Wormhole-authenticated message from the source chain contract. This check ensures that Wormhole-wrapped tokens are backed 1:1 by tokens in the source chain contract."

 

"The Guardians are also responsible for governing the Wormhole network. Upgrades to the protocol and contracts require a supermajority vote of Guardians."

 

"Chicago-based Jump Trading acquired Certus One, the developer behind Wormhole, in August [2021]."

 

"On Feb 2, 2022, an attacker exploited a signature verification vulnerability in the Wormhole network to mint 120k Wormhole-wrapped Ether on Solana. These tokens were not backed by Ether deposits on the Ethereum side of the Portal bridge. The attacker then bridged 93,750 of these tokens to Ethereum, withdrawing the unwrapped Ether from the contract."

 

"Wormhole had a loophole... A hacker distorted the fabric of Solana's space-time, netting $326M in the process. How did Wormhole return so much ETH so fast?" "The Wormhole network lost about $320 million in cryptocurrency funds after a novel vulnerability was exploited on February 2."

 

"The Wormhole hack exploited vulnerabilities in a novel element of crypto technology known as a cross-chain bridge, which allows investors to switch back and forth between digital currencies built on separate blockchains. Some DeFi platforms facilitate these conversions to help people capitalize on trading opportunities; a trader who owns lots of Ether, for example, might want to use an application on another currency’s blockchain without having to sell the Ether and buy the other currency." "This Meter hack took the shape of the previous Wormhole breach some days ago. In the attack, the hackers stole more than $320 million in wETH."

 

"[A] signature verification vulnerability was exploited. The perpetrator targeted wETH tokens on Solana that were not tied to Ethereum deposits, bridging them to Ether in order to steal them."

 

“The theft was allowed because of a rather common programming error. The function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened. So there was no integrity guaranteed in the integrity check.”

 

"The hackers pulled off the theft by using an earlier transaction to create a signatureset, which is a type of credential. With this, they created a VAA, or validator action approval, which is essentially a certificate needed for approving transactions."

 

"In a nutshell, the attacker forged the signature on a transaction in wormhole, then submitted the invalid transaction to the Solana (CRYPTO:SOL) network as a valid one, which allowed the fraudulent minting of a large number of ETH tokens on the Solana network. They then transferred many of those tokens to a digital wallet on the Ethereum network."

 

"Apparently, the vulnerability had already been detected and fixed in the code that interoperates between wormhole and Solana, but the fix had not yet been deployed to wormhole. This allowed the attacker to exploit vulnerable, deprecated code to accomplish their theft. This is reassuring in one way (the problem had already been detected and addressed) but disturbing in another (despite the available fix, the vulnerability was not blocked)."

 

"Open-source code commits show that code that would have fixed this vulnerability was written as early as January 13th and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application."

 

"There has been a lot of confusion however how the Wormhole hack had happened. I want to [summarize] and explain how the hack worked, for non-technical audiences. To create wETH on their chain, Solana checks that there is a valid signature, and that the signature comes from a Guardian. Proper usage means there is a valid signature (Correct) from a guardian (Correct). These two conditions match, and so request is approved. They expected an attacker would issue an invalid signature (Incorrect) from a guardian (Correct). These two conditions do not match, so the request is denied. The hack The attacker issued an invalid signature (Incorrect) from a non-guardian (Incorrect). **But these conditions match: incorrect matches incorrect**. So the request is APPROVED (!!) and the ETH was stolen on the Solana network. The Ethereum network successfully processed a withdraw, because Solana told Ethereum "it's all good, this is legit", but Solana's logic for determining whether it is good was flawed."

 

"As software developer Matthew Garrett observed on Twitter, the code upload was described as if it were a run-of-the-mill version update but actually contained extensive changes — a fact that could have tipped off the attacker to the fact that it was a disguised security fix."

 

"Look commits that claim to just be a version number bump and which then actually contain code are a fucking *huge* red flag that this is a security critical fix that you don't want to admit to."

 

"[A] post from the Wormhole Twitter account announced that the network was being taken “down for maintenance” while a potential exploit was investigated. A later post from Wormhole confirmed the hack and the amount stolen."

 

"The wormhole network is down for maintenance as we look into a potential exploit. We will provide updates here as soon as we have them. Thank you for your patience."

 

"Due to the nature of cross-chain applications, the attack temporarily left a huge deficit between the amount of wrapped Ethereum and regular Ethereum held in the Wormhole bridge."

 

"The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward."

 

"The hacker then exchanged 93,750 wETH for Ethereum and changed the remainder for Solana, which they've left untouched in their Solana wallet."

 

"To prevent further exploits, Wormhole node operators temporarily stopped relaying messages from on-chain contracts, then upgraded the contract to fix the vulnerability."

 

"Jump Crypto has recapitalized the contract to ensure that all Wormhole-wrapped Ether on every chain is fully backed. The Wormhole network is back online and fully operational as of 13:29 UTC, Feb 3, 2022. The total duration of the incident was approximately 16 hours."

 

"The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience."

 

"Wormhole says that the vulnerability has been patched and that all funds have been restored, and that the project will be backing funds one-for-one with Ether going forward." "This incident was deeply problematic, since it resulted in exploitation and financial losses to the company that released the software, but investor funds have been restored."

 

"Certus One contacted the hacker(s) as soon as the software problem was fixed, offering them a $10 million bug bounty if they work collaboratively to restore the stolen ETH. There is also a $10 million reward available to anyone else who can provide details that lead to the arrest and conviction of the hacker."

 

"The company is also offering a bounty of $10 million for information leading to the arrest of the responsible party or recovery of the stolen funds, and has announced that it will be launching an ongoing bug bounty program on Immunefi sometime this month that will offer maximum bounties of $3.5 million for disclosure of new vulnerabilities."

 

"A $10,000,000 reward is offered for any information leading to the arrest and conviction of those responsible for the hack of Wormhole on February 2, 2022, or the recovery of the stolen assets. The $10,000,000 whitehat offer remains open for the timely return of the funds."

 

"Similar to previous large-scale DeFi hacks, potential victims and donation-seekers have begun to send the hacker on-chain messages through Ethereum transactions. These have ranged from small transfers of worthless tokens or those seeking donations using blockchain names such as “hackerplsdonate.eth” to get the hacker’s attention. One individual claimed to have lost $100,000 in the hack."

 

"As hacks go, this one was handled quickly, and because the ETH tokens were replaced by Jump Trading, no investor funds were lost."

Wormhole Finance is a decentralized bridge between multiple chains including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis. A decentralized network of 19 guardians secure the bridge. An attacker exploited a signature verification vulnerability in the smart contract hot wallet for the Ethereum to Solana bridge. This was used to mint 120k worth of wrapped ethereum, which was unwrapped to redeem for ethereum. The hackers were offered a $10m bounty to return the funds, and a $10m bounty is available for any information to lead to their arrest or the return of the funds. So far the hackers have not responded.

HOW COULD THIS HAVE BEEN PREVENTED?

In general, complex smart contract hot wallets shouldn't be in charge of minting. Instead, this should always be the responsibility of a simple multi-sig wallet with cold storage keys held by trusted individuals. If a hot wallet is needed for distribution, that should be audited by two competent firms and never exceed a value which the project can self-insure from other liquid assets.

 

Check Our Framework For Safe Secure Exchange Platforms

Rekt - Wormhole - REKT (Feb 8)
https://www.cryptopolitan.com/meter-loses-4-million-in-latest-defi-breach/ (Feb 14)
Wormhole token bridge loses $321M in largest hack so far in 2022  (Feb 14)
https://wormholenetwork.com/ (Feb 15)
https://wormholenetwork.com/buidl/ (Feb 15)
Introduction - Wormhole (Feb 15)
The Wormhole Crypto Network Explained - YouTube (Feb 15)
https://www.cpomagazine.com/cyber-security/defi-project-hacked-for-320-million-in-crypto-wormhole-network-compromised-by-previously-unknown-vulnerability/ (Feb 15)
Wormhole Incident Report 02 02 22 (Feb 15)
Explorer | Solana (Feb 15)
https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 20)
The Wormhole Hack Was a Close Call for Investors | The Motley Fool  (Feb 15)
Cryptocurrency platform Wormhole restores funds after suffering $320 million hack - CBS News  (Feb 15)
@wormholecrypto Twitter (Feb 15)
https://www.cnbc.com/video/2022/02/07/wormhole-network-hack-named-fourth-biggest-crypto-hack-of-all-time.html (Feb 15)
Wormhole cryptocurrency platform hacked for $325 million after error on GitHub - The Verge (Feb 15)
@wormholecrypto Twitter (Feb 15)
@mjg59 Twitter (Feb 15)
Jump Trading replaces stolen Wormhole funds after $320 mln crypto hack | Reuters (Feb 15)
@JumpCryptoHQ Twitter (Feb 15)
$325 Million Stolen from Wormhole DeFi Service (Feb 15)
Crypto Bridge Wormhole Replenished After Hack for $320M in Ethereum - Decrypt (Feb 15)
Solscan (Feb 15)
@samczsun Twitter (Feb 15)
How $323M in crypto was stolen from a blockchain bridge called Wormhole | Ars Technica (Feb 15)
https://fortune.com/2022/02/03/hackers-steal-320-million-crypto-wrapped-ether-wormhole-defi-project/ (Feb 15)
Wormhole Network Hack Named Fourth Biggest Crypto Hack of All Time  (Feb 15)
Crypto Worth Over $320 Million Taken in Wormhole Hack (Feb 15)
Calling a Hack an Exploit Minimizes Human Error (Mar 10)
Wormhole Network Faces Exploit, Loses $216 Million to Hackers - CoinQuora (Mar 20)
Technology of the future : Buttcoin (Mar 23)
Solana Suffers Dip Following $322M Wormhole Hack - Crypto Briefing (Mar 23)
https://coin.fyi/news/solana/here-s-how-98k-eth-was-stolen-on-solana-explained-like-you-re-five-sj7ba7 (Mar 23)
Ethereum [ETH]: Here's How 98k ETH Was Stolen On Solana, Explained Like You're Five - PumpDumpCoin.com (Mar 23)
Here's how 98k ETH was stolen on Solana (Mar 23)
Solana's Wormhole bridge gets hacked for $200 million (80K ETH) | CryptoSlate (Mar 23)
The $320m Wormhole hack was "replenished" by Jump Capital, an institutional trading desk/market maker (similar to Citadel) without any questions. This shows the entire Solana ecosystem is just a sham propped up by institutional entities : Cry... (Oct 12)
The Crypto World Is on Edge After a String of Hacks - The New York Times (Nov 30)
Wormhole Hack: Lessons From The Wormhole Exploit (Nov 30)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.