Coinfirm logo

Top 2022 Crypto hacks: Wormhole Bridge Exploit

Wormhole Bridge Exploit

On 2nd February 2022, a hacker manipulated Wormhole, Solana’s bridge, to credit 120k ETH on Ethereum. This allowed them to mint the equivalent amount of wrapped whETH (Wormhole ETH) on Solana. 

To do this, the hacker utilized a SignatureSet created in a previous transaction to bypass the Wormhole’s ‘guardians’. After that, they called the contract’s ‘verify_signatures’ function, which delegated the task of verifying the SignatureSet to a Sep256k1 program. The discrepancy between solana_program::sysvar::instructions and the solana_program Wormhole was using enabled the hacker to provide an address containing just 0.1 ETH.

Using an account created only hours earlier with one single serialized instruction corresponding to the Sep256k1 contract, they could fake the SignatureSet and call ‘complete_wrapped’, thus fraudulently minting 120k whETH on Solana using VAA verification from a prior transaction. Subsequently, 93,750 ETH was bridged back to Ethereum over three transactions in the hacker’s wallet. The remaining 36k whETH were liquidated into USDC and SOL tokens on Solana.

A whitehat agreement has been offered to the hacker, who managed to exploit the Solana VAA verification and mint tokens, with a bug bounty of $10 million in exchange for exploit details and the return of the wETH that was minted.

After the transfer from the bridge, the funds are still at the hacker’s address, topped up from Tornado on fees. One small transfer was made (0.1 ETH) to Binance deposit, probably to complicate tracking. The address is still active, with the last transaction about seven days ago.

Wormhole Exploit Transfers
Wormhole Exploit Transfers