Wormhole Bridge Exploit - Post-Mortem
Date: February 3, 2022
Summary
Solana's Wormhole bridge was exploited for approximately $326 million in wrapped Ethereum (wETH).
Technical Root Cause
The vulnerability centered on a critical flaw in Solana VAA (Verified Action Approval) verification:
1. Signature verification bypass: The attacker exploited a discrepancy between how Wormhole's contract called the Secp256k1 verification program and how it validated the program's address.
2. Address validation failure: Due to improper use of
solana_program::sysvar::instructions, the contract failed to correctly verify the address being provided.3. Reused VAA: The attacker leveraged a
SignatureSet created in a previous transaction to bypass the guardians.Attack Vector & Exploit Steps
1. Using a previously-created
SignatureSet, the attacker called verify_signatures on the main bridge.2. The
verify_signatures function delegated to the Secp256k1 program but failed to properly validate which program was being called.3. The attacker created an account hours earlier containing a single serialized instruction corresponding to the Secp256k1 contract, enabling them to fabricate the
SignatureSet.4. Using this fake verification, the attacker called
complete_wrapped and fraudulently minted 120,000 whETH on Solana.5. The attacker then bridged 93,750 ETH back to Ethereum across three transactions.
Attacker wallet:
0x629e7da20197a5429d30da36e77d06cdf796b71aFinancial Impact
• Total loss: $326 million
• wETH exploited: 120,000 tokens
• Funds recovered: Full backing restored within 24 hours through team capital injection
Remediation & Recovery
Bug Bounty Offer: Wormhole's parent company, Certus One, sent an on-chain message offering a $10 million bug bounty in exchange for exploit details. The attacker did not respond.