Down the Wormhole: Solana crypto bridge suffers massive hack, with $324m drained

A cross-blockchain bridge associated with the Solana network has suffered a devastating exploit in one of the biggest DeFi hacks of all time.

The Wormhole network says it lost a massive 120,000 in wrapped Ether – US$324 million worth.

The wormhole network was exploited for 120k wETH.

ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.

We are working to get the network back up quickly. Thanks for your patience.

— Wormhole🌪 (@wormholecrypto) February 2, 2022

Wormhole is a bridge between Solana and other blockchains, allowing users to bridge assets from one network to another. The original asset is supposed to be held in a smart contract on its native blockchain, with a “wrapped” token created on the blockchain being bridged to.

An Optimistic Ethereum developer by the name of Kelvin Fichter explained how the hack took place in a Twitter thread.

The hacker transferred 0.1 Ether from Ethereum into Solana, taking advantage of a bug in the Wormhole contract to trick the system into thinking 120,000 Ether had been deposited.

Using this “fake” system program, the attacker could effectively lie about the fact that the signature check program was executed. The signatures weren’t being checked at all!

— smartcontracts (@kelvinfichter) February 3, 2022

After that point, it was game over. The attacker made it look like the guardians had signed off on a 120k deposit into Wormhole on Solana, even though they hadn’t. All the attacker needed to do now was to make their “play” money real by withdrawing it back to Ethereum.

— smartcontracts (@kelvinfichter) February 3, 2022

And one withdrawal of 80k ETH + 10k ETH later (everything in the bridge on Ethereum), everything was gone.

— smartcontracts (@kelvinfichter) February 3, 2022

The exploit occurred at around 5.30am AEDT — roughly three hours after the Wormhole team had rolled out a patch for the bug, but before the team had deployed the patch.

Fichter posited that possibly the attacker had been keeping an eye on the Github repository the developers use to collaborate on changes to the code, and noticed the vulnerability when they tried to fix it.

Could be that the Wormhole team spotted the bug, patched it, but the attacker got to it before the patch could be rolled out. Super important to keep these sort of patches lowkey and to try to stuff them into larger commits.

— smartcontracts (@kelvinfichter) February 3, 2022

Another possibility is that the “attacker knew about the bug in advance and was forced into exploiting the bug because the patch was being rolled out,” Fichter tweeted. “Seems hard to construct this attack within ~2 hours so could be a possibility here.”

The bug was fixed around noon AEDT, according to Wormhole’s Twitter account.

At lunchtime (Sydney time), “weWETH” (Wormhole Ether) was trading on Raydium for US$2,614 in USD Coin, just a slight discount. Ethereum was trading for US$2,695 in USDC on Uniswap.

Seems like the weWETH peg is *still* holding?

I’m holding my breath for lending team responses / circuit breakers vs. wormhole bailouts.

As other people have said seems like the latter is more likely at this point

— Julian Traversa (@TraversaJulian) February 2, 2022

The Wormhole network said in its announcement that it would add Ether to its vault to ensure that wrapped Ether on Solana was “backed 1:1”. But it didn’t explain where this Ether was coming from.

The hack is the biggest defi exploit since the $611 million Poly Network hack in August.