Wormhole Bridge Exploit - Post-Mortem
Date: February 3, 2022
Summary
Solana's Wormhole bridge was exploited for approximately $326 million in wrapped Ethereum (wETH).
Technical Root Cause
The vulnerability centered on a critical flaw in Solana VAA (Verified Action Approval) verification:
1. Signature verification bypass: The attacker exploited a discrepancy between how Wormhole's contract called the Secp256k1 verification program and how it validated the program's address.
2. Address validation failure: Due to improper use of solana_program::sysvar::instructions, the contract failed to correctly verify the address being provided.
3. Reused VAA: The attacker leveraged a SignatureSet created in a previous transaction to bypass the guardians.
Attack Vector & Exploit Steps
1. Using a previously-created SignatureSet, the attacker called verify_signatures on the main bridge.
2. The verify_signatures function delegated to the Secp256k1 program but failed to properly validate which program was being called.
3. The attacker created an account hours earlier containing a single serialized instruction corresponding to the Secp256k1 contract, enabling them to fabricate the SignatureSet.
4. Using this fake verification, the attacker called complete_wrapped and fraudulently minted 120,000 whETH on Solana.
5. The attacker then bridged 93,750 ETH back to Ethereum across three transactions.
Attacker wallet: 0x629e7da20197a5429d30da36e77d06cdf796b71a
Financial Impact
• Total loss: $326 million
• wETH exploited: 120,000 tokens
• Funds recovered: Full backing restored within 24 hours through team capital injection
Remediation & Recovery
Bug Bounty Offer: Wormhole's parent company, Certus One, sent an on-chain message offering a $10 million bug bounty in exchange for exploit details. The attacker did not respond.