On Wednesday, a hacker was able to transfer over $214 million worth of ether (ETH) out of the Solana network and into the Ethereum blockchain via the Wormhole bridge. This service allows funds to be transferred between different blockchains.
The exploit was described in a Twitter thread by the pseudonymous Twitter account smartcontracts. In one transaction, the hacker transferred the 80,000 Ethereum out of the Wormhole smartcontract on Ethereum. This was only the last of a series hacks that allowed the hacker to take the funds.
“Although this transaction may seem dramatic, it is only the end of an interesting series. “Smartcontracts tweets: I had to work my way backwards to understand how this was possible.”
Guardians signed off on a false transfer
Wormhole, also known as a bridge (or smart contract) on Ethereum, allows you to transfer crypto assets between different blockchains. Smartcontracts say that Wormhole has a group of co-called “guardians” who sign off on transactions between the blockchains.
This 80,000 ETH transfer was signed by the Wormhole guardians as though it were 100% legal.
“The attacker who transferred 80,000 Ethereum from Solana to Ethereum was the one that pulled out 80,000ETH. Although I initially thought the contract might not have validated signatures, the signatures were actually verified.”
Smartcontracts claims that the transaction on Solana generated 120,000 “Wormhole Ethereum” and wrapped it on Solana. This was the partial explanation. The hacker was able create Wormhole Ethereum on Solana and was able correctly to withdraw it to Ethereum.
“Solana is kinda strange”
The transaction history of the hacker shows that there was a transaction just before the 120,000 Wormhole Ethereum was issued. The hacker makes only 0.1 Wormhole Ethereum in this transaction. This is as if he was trying out the function with a smaller amount.
Further examination of the transaction history reveals the hacker made a deposit of 0.1 ETH to Solana from Ethereum. Although the attacker didn’t make a 120,000 ETH deposit to the Wormhole smart contracts on Ethereum, there is something very interesting about this deposit.
In his tweet smartcontract explained that transactions that generated Wormhole Ethereum on Solana were activating a Wormhole smart-contract function called “complete_wrapped”. This function requires a “transfer messaging” parameter, which is basically a message from the guardians of bridge. It tells the guardians which token they want to mint and how much.
These parameters are smart contracts, but Solana is a bit strange. The important thing is how these “transfer messages” contracts are created. Here’s how the 0.1ETH transfer message was created, smartcontracts tweets.
Who is checking the checkers’ work?
The “transfer message contract” is created by activating a function called post_vaa. Post_vaa verifies that the message is valid and checks the signatures of the guardians. This part sounds reasonable, smartcontracts states, but this signature verification step is what broke everything.
The signatures are not checked by the “post_vaa” function. In typical Solana fashion, another smart contract is created by calling “verify_signatures”. One input to the “verify_signatures” function is a Solana program called “system”, which includes various utilities that the contract can use.
The Wormhole program tries to verify that “verify_signatures” was invoked before the function is triggered. This means that it checks that Secp256k1 signature verification function has been executed.
“This verification function is an integrated tool that’s supposed verify that the signatures given are correct. This program has now handled the signature verification. Here’s the problem: smartcontracts tweets.
Wormhole contracts used load_instruction_at for checking that Secp256k1 was called first. However, load_instruction_at was removed relatively recently as it doesn’t check that it is executing against the actual system addresses.
Smartcontracts states that the caller should input the system address for the program to be executed. However, the hacker provided a different address.
This is the system address that was used to input the “verify_signatures” command for the legal deposit of 0.1 Ethereum:
Enter the correct system address
Here’s the transaction “verify_signatures”, which is used to verify the fraudulent deposit of 120k Ethereum.
False system addresses
This is not the system address!
“Using this fake system program, an attacker could lie about the fact the signature check program was executed. Smartcontracts tweeted that signatures were not being verified.
It was over at that point. Although they had not, the attacker made it appear that the guardians had authorized a 120k deposit to Wormhole on Solana. The attacker had to withdraw their “play” money back to Ethereum. All was lost after one withdrawal of 80k Ethereum + 10k Ethereum.
Breakdown: How the hacker stole 80k Ethereum from the Solana Wormhole bridge CryptoSlate.
Did you miss our previous article…