As a quick primer, Wormhole is a crypto network that enables users to transfer their cryptocurrencies between a variety of cryptocurrencies and blockchains, including Ethereum, Solana, and Terra. As for how it works, the platform essentially puts users’ tokens into a smart contract within a departing chain, followed by the minting of the “wormhole wrapped” token, on the destination chain. From there, the token can then be exchanged for native tokens on the destination chain.
ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience. — Wormhole🌪 (@wormholecrypto) February 2, 2022 This complicated process was also how the hackers managed to scurry off with the 120000 units of wETH. According to PC Gamer, the hacker exploited a loophole in the minting and wrapping process, but more specifically, they managed to mint the wrapped coins on a network they didn’t have to transfer, which in this case was the Solana network and the cryptocurrency SOL. One equally important point to note here is that, while hacking the network, the hacker had to ensure that the value between the stolen wrapped tokens and those of the blockchains maintained a 1:1 value. Otherwise, they run the risk of losing money during the transfer.
The investigation inside Wormhole Bridge
The attacker invoked the complete_wrapped instruction with the spoofed inputs ctx
, accs
and data
The instruction does not perform complete verification on the correctness of the input ctx
, accs
, and data
. pic.twitter.com/IQAEqvphBO
— CertiK Security Leaderboard (@CertiKCommunity) February 3, 2022
At the time of writing, the stolen funds have reportedly been divided up and exchanged, with around 93000 minted tokens having been exchanged for Ethereum. Additionally, Jump Crypto, the cryptocurrency arm of Jump Trading, also jumped in to help Wormhole by replacing the stolen cryptocurrency.
If you wish to learn how the hacker exploited Wormhole’s security, security experts at Certik actually posted a step-by-step analysis of the process via its official Twitter account. So, you can check that out if you’re interested.
(Source: PC Gamer, Reuters, Twitter [1] [2])