The full story behind the exploit that led to the fraudulent minting of 120,000 wETH and threatened to crash Solana.

Early February of 2022 was a low-point for the cryptocurrency asset class; one of many more to come throughout the year. The price of BTC was on a relentless downtrend from a high of $69,044.77 on Nov 10, 2021, to under $40,000 by February 02, 2022.

This is the market atmosphere in which the $320M Wormhole bridge exploit occurred.

The Wormhole bridge exists to help users move their assets from one blockchain to another – most often from Ethereum to Solana. The bridge, like any other, requires that users deposit their assets from one chain, such as ETH for example, and then they get the equivalent in a “debt token” (wETH or wrapped ETH) on the chain they wish to bridge to. From there, they can use the wETH to interact with dApps (decentralized apps) or exchange it for other assets, such as SOL or USDC.

The hack involved falsifying on-chain messages and transactions which allowed the attacker to steal the funds.

How the Exploit was Executed

By using a fake ‘sysvar’ account to invoke the “verify_signatures” function, the attacker was able to create a malicious transaction and ultimately trick the Wormhole bridge verification process to make “guardians” (validators) believe 120,000 ETH had been deposited on the Ethereum side, and therefore allow for the fraudulent minting of 120,000 wETH to this Solana address.

Here’s the initial transaction; ‘line #4 – account3’ should read “Sysvar: Instructions”, but instead reads “2tHS1cXX2h1KBEaadprqELJ6sV9wLoaSdX68FqsrrZRd” in its place. This is where the exploit occurred, which then led to forged signatures, the fake verification, and the eventual successful attack.

Blockchain Cybersecurity Company CertiK provided an in-depth incident analysis that further breaks down the technical aspects.

Timeline of the Wormhole Bridge Hack

February 02, 2022:

At 17:58 UTC, the first transaction occurs on Solana block 119025020 to create the fake ‘sysvar’ account.

After a series of technical maneuvers, this transaction is confirmed less than half an hour later on block 119027414 at 18:24 UTC, which mints the fraudulent 120k wETH valued around $320M at the time.

Within 10 minutes, by 18:34 UTC, the majority of the ‘debt token’ wETH has been exchanged for various assets, including 93,750 wETH being bridged to regular ETH, and the remaining 26,250 wETH being liquidated to 432,662 SOL and 1444 USDC.

The discrepancy in outstanding funds was not noticed until 19:07 UTC, when it was pointed out by Wormhole network contributors.

At 19:33 UTC, the team temporarily shuts down the Wormhole network.

At 20:15 UTC, the Wormhole security team sends a message on Ethereum block 141128723 to the attacker, “We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted.” They also left contact details.

According to public reports, the attacker never contacted the Wormhole team to claim the $10M bounty, and all the assets still remain in the addresses they were initially transferred to.

At 20:42 UTC, the team announces the attack to the public via Twitter, and then at 22:25 UTC, they releases another statement on Twitter ensuring users that “ETH will be added over the next hours to ensure wETH is backed 1:1.”

February 03, 2022:

The vulnerability that led to the exploit is patched in collaboration with Wormhole contributors led by auditing company Neodyme at 00:32 UTC.

By 13:29 UTC, the Wormhole network is back online and fully operational, and the announcement that “All funds have been restored and Wormhole is back up” comes in the form of a tweet at 13:39 UTC.

What Happened to the Stolen Funds?

As previously mentioned, at the time of writing the funds remain in the wallets they were initially transferred to. They haven’t been recovered, and no attempt has been made to extract them to a cash out point, such as a crypto exchange. However, since the fraudulent funds posed a massive risk to the stability of the Solana DeFi ecosystem due to the fact that there would be 120k ETH missing from the bridge’s liquidity, it was replaced on February third by contributors from Jump Crypto. This has allowed the bridge to return to full capacity and remain in operation today.

Marin Ivezic
Website | Other articles

For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.

He held multiple interim CISO and technology leadership roles in Global 2000 companies.