Wormhole overexplanation

Quick summary

Block Enthusiast

Feb 02, 2022

this article is a quick response to this:

minnow @CryptoMinnows

@BlockEnthusiast @SalientQuips @0xB07DAD You’re going to have to do some work to make this readable lmfao

minnow @CryptoMinnows

@risklessprofit @BlockEnthusiast @SalientQuips @0xB07DAD WETH ETH weWETH ethereum withdraw weWETH

Coins Involved

Ether (ETH)

Alright so you have ETH the symbol representing the currency Ether.

Ether is the native asset of the Ethereum network.

WETH

WETH is wrapped Ether. Ethereum network launched before tokens on Ethereum existed. Tokens on ethereum use the ERC20 Standard

This allows standardized interaction allowing dapps to be built general purpose, able to handle any token.

Since ETH doesn’t have ERC20 bindings, it gets wrapped in a smart contract WETH to standardize its interaction.

weWETH

ETH lives on Ethereum. It can’t leave the chain. In order to represent it on different chains, ETH gets wrapped as WETH and locked in a smart contract. This WETH contract information is transcribed over to another chain via an oracle. When WETH is locked into a bridge contract, it gets a representative reciept token on the other end.

weWETH is the token minted by the wormhole bridge on the Solana network, which represents a claim on WETH on the Ethereum network.

weWETH can be sent to the bridge contract to be burned on Solana which that info is transcribed via oracle to the Ethereum network bridge contract. That contract then allows ETH to be claimed by the user.

The Attack

The attacker found an exploit on the Solana network bridge contract for the wormhole bridge. This contract has the ability to mint weWETH. The attacker gained the ability to mint weWETH increasing the supply without depositing WETH into the deposit contract on the Ethereum network.

This created an imbalance where there was 120k more weWETH on Solana than WETH on Ethereum in the bridge contract.

The attacker then withdrew 80k weWETH from Solana to the Ethereum network releasing 80k WETH to their address.

The attacker then sold the remaining 40k weWETH on exchanges on the Solana network. These exchanges often have Automated market makers, or bids that have not been revoked since the attack occured.

In this case the attacker is than able to sell the weWETH into the available liquidity on these markets for even more value than the WETH that was locked in the contract.

They exit this attack with 80k WETH in the bridge contract + all the profits from selling 40k weWETH on the market.

Possible Exploit Explanation

Appears the issue was the contract treated all signatures as valid due to the gaurdian being set to null. As I understand it, this would define the validation rules.

This is set to null on both Ethereum and Solana ends. Perhaps this is the cause but this has not been broadly validated at this time.

Tal Be'ery @TalBeerySec

1/ Analyzing #wormhole exploit with @TenderlyApp , seems the problem is in this part: The contract treats signatures as valid because guardianSet is null dashboard.tenderly.co/tx/mainnet/0x2…

After further review

samczsun @samczsun

How did the @wormholecrypto exploit work? I joined forces with @gf_256 and @ret2jazzy to reverse engineer the exploit, and now that it's been patched we can finally share it with you👇

Shown below, it does appear the issue was invalid signatures.

samczsun @samczsun

tl;dr - Wormhole didn't properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.

The attacker deposited 0.1ETH into the Ethereum bridge contract, but using fake signatures to send false info to the solana bridge contract that they had deposited 160k ETH.

smartcontracts @kelvinfichter

Here's that system address being used as the input for the "verify_signatures" for the legit deposit of 0.1 ETH

What surprised me is this was not wormhole bespoke contracts at fault but a Solana standard library. I wonder how many other protocols might be using this library…

smartcontracts @kelvinfichter

TL;DR older version of Solana standard lib doesn't check stuff properly, contract doesn't get upgraded to latest version, bye bye $300m

smartcontracts @kelvinfichter

Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here's how it happened.

This industry is full of very interesting threat models.

smartcontracts @kelvinfichter

It's interesting that this commit was made ~9 hours ago and the exploit happened a few hours after that. Possible that an attacker was keeping an eye on the repository and looking out for suspicious commits.

Making an update may have alerted the attacker that the exploit was to be fixed and forced their hand to act quickly and noticeably. However the team didn’t even realize they were addressing a bug. Truly a difficult and unforgiving frontier to build.

smartcontracts @kelvinfichter

Update: after further convo it seems Wormhole wasn't aware of the bug when the commit was made, simply were updating to latest function versions to clear up the deprecation warnings.

Resolution

Wormhole ETH (weWETH) will be backed 1:1 again due backing being provided by outside parties.

Wormhole🌪 @wormholecrypto

The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience.

Do note, Wormhole ETH is not the largest WETH wrapper on Solana. There are many different bridges which issue their own wrapped derrivative of ETH on the Solana network.