On 2nd February 2022, a hacker manipulated Wormhole, Solana’s bridge, to credit 120k ETH on Ethereum. This allowed them to mint the equivalent amount of wrapped whETH (Wormhole ETH) on Solana.
The wormhole network was exploited for 120k wETH.— Wormhole🌪 (@wormholecrypto) February 2, 2022
ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.
We are working to get the network back up quickly. Thanks for your patience.
To do this, the hacker utilized a SignatureSet created in a previous transaction to bypass the Wormhole’s ‘guardians’. After that, they called the contract’s ‘verify_signatures’ function, which delegated the task of verifying the SignatureSet to a Sep256k1 program. The discrepancy between solana_program::sysvar::instructions and the solana_program Wormhole was using enabled the hacker to provide an address containing just 0.1 ETH.
Using an account created only hours earlier with one single serialized instruction corresponding to the Sep256k1 contract, they could fake the SignatureSet and call ‘complete_wrapped’, thus fraudulently minting 120k whETH on Solana using VAA verification from a prior transaction. Subsequently, 93,750 ETH was bridged back to Ethereum over three transactions in the hacker’s wallet. The remaining 36k whETH were liquidated into USDC and SOL tokens on Solana.
A whitehat agreement has been offered to the hacker, who managed to exploit the Solana VAA verification and mint tokens, with a bug bounty of $10 million in exchange for exploit details and the return of the wETH that was minted.
A $10,000,000 bug bounty for exploit details and a whitehat agreement is offered to the hackers in exchange for returning all funds. You can reach out to firstname.lastname@example.org— Wormhole🌪 (@wormholecrypto) February 4, 2022
After the transfer from the bridge, the funds are still at the hacker’s address, topped up from Tornado on fees. One small transfer was made (0.1 ETH) to Binance deposit, probably to complicate tracking. The address is still active, with the last transaction about seven days ago.