At 1:58 am on February 3, 2022, Beijing time, the Solana cross-chain bridge project Wormhole was attacked by attackers. Hackers bypassed the Wormhole Bridge verification process on Solana and minted Wormhole ETH (wETH) for themselves.
In this incident, the attacker bypassed the system verification step by injecting a spoofed sysvar account, and successfully generated a malicious "message" specifying that 120,000 wETH should be minted. Finally, the attacker successfully minted 120,000 wETH worth about $320 million by using a malicious "message" to call the "complete_wrapped" function.
secondary title
Introduction to Wormholes
Wormhole (Wormhole), also known as the Einstein-Rosen bridge, is also translated as wormhole. It is a narrow tunnel that may exist in the universe to connect two different time and space.
Closer to home, in fact, Solana’s cross-chain bridge Wormhole Protocol (Wormhole Protocol) does have the same meaning and positioning as wormholes in science and even science fiction.
exploit transaction
exploit transaction
Mint 120,000 Wormhole ETH:
https://solscan.io/tx/2zCz2GgSoSS68eNJENWrYB48dMM1zmH8SZkgYneVDv2G4gRsVfwu5rNXtK5BKFxn7fSqX9BvrBc1rdPAeBEcD6Es
secondary title
https://etherscan.io/address/0x629e7da20197a5429d30da36e77d06cdf796b71a#internaltx
Vulnerability attack process
Step 1: The attacker uses a fake sysvar account to call the "verify_signatures" function: https://solscan.io/tx/25Zu1L2Q9uk998d5GMnX43t9u9eVBKvbVtgHndkc2GmUFed8Pu73LGW6hiDsmGXHykKUTLkvUdh4yXPdL3Jo4wVS① with the fake "sysvar account" as an argument to the "verify_signatures" function:
In contrast, the screenshot below takes the "verify_signatures" function with the real "sysvar account" as an argument:
② The “verify_signatures” function loads the current instruction from sysvar (L92).
③ However, the function "load_current_index" cannot verify whether "sysvar account" is really "system sysvar". Since the current instruction (L92) retrieved from "sysvar" is controlled by the attacker, it can successfully pass the following verification process.
Step 2: The attacker then uses the signature verified in the previous step to call the "post_vaa" function, and creates a malicious message account, claiming to mint 120,000 wETH: https://solscan.io/tx/2SohoVoPDSdzgsGCgKQPByKQkLAXHrYmvtE7EEqwKi3qUBTGDDJ7DcfYS7YJC2f8xwKVVa6SFUph5MZ5 xcyn1BCK
① Account2 is the signature set generated by the "verify_signatures" command. ② Account3 is the message account that will be used in the "complete_wrapped" function.
Step 3: The attacker calls the "complete_wrapped" function to read the data in the malicious message account and mint 120,000 wETH: https://solscan.io/tx/2zCz2GgSoSS68eNJENWrYB48dMM1zmH8SZkgYneVDv2G4gRsVfwu5rNXtK5BKFxn7fSqX9BvrBc1rdPAeBEcD 6Es
① Account3 is the message account generated by the "post_vaa" function.
② Account6 is the "recipient" address for receiving the minted Wormhole ETH. ③ Account9 is the minting institution of Wormhole ETH, which is a PDA (Program Derived Address). This is why the attacker can mint tokens directly after the signature verification is passed.
The root cause of this vulnerability is that in the process of verifying signatures ("verify_signatures"), the program uses a "load_current_index" function that was deprecated when Solana was updated to 1.8.0. This function will not verify whether the input "sysvar account" is really "system sysvar", so the attacker can take the opportunity to forge this critical account.
https://solscan.io/tx/j3jUDG43di8Dsg7Q3jQhstamtBovu1GLqnDJ7yNvM3r4pnK9e7uqgt9uBobCjT5S1BKhZZFQNQwDxypEYqLknec
https://solscan.io/tx/5UaqPus91wvAzKNve6L8YAHsESomZQ7GWi37gPFyzTHcXNMZA641bb8m8txo7bS7A5cAnzKDKYyiKcQC8GgDcAuf
https://solscan.io/tx/3AugXqrXunBa96YfqENhPBiWZWpnSnJdqAHS64qcHTVU9KtfGon8cN9cUuXsDmBobBBXjYUtuRxnYxgERS42nh6G
Contract Vulnerability Analysis
The root cause of this vulnerability is that in the process of verifying signatures ("verify_signatures"), the program uses a "load_current_index" function that was deprecated when Solana was updated to 1.8.0. This function will not verify whether the input "sysvar account" is really "system sysvar", so the attacker can take the opportunity to forge this critical account.
Summarize
Summarize
Currently, the Wormhole team has fixed the vulnerability and restored the network. Here, CertiK proposes the following suggestions to developers:
When developers use externally dependent functions, they need to have sufficient understanding of this function.
Keep an eye on important updates of externally dependent code bases, and make corresponding adjustments to your own code base in a timely manner when there are major version changes.
When the code version is updated, it is also necessary to conduct a comprehensive audit in a timely manner, and update the audited code to the code that has been deployed on the chain in a timely manner.
The fifth day of the lunar calendar is approaching, and I hope everyone will "break the five poor". At the same time, it is also hoped that each project will be deployed online after a strict audit to obtain higher security and reduce the possibility of property loss. Good luck begins to "cycle" continuously from the new year; safety begins with strict audits, and every project has a better "start"!
So far, CertiK has been recognized by 2,500 corporate customers, protecting more than $311 billion in digital assets from loss. Welcome to click the dialog box at the bottom of the CertiK public account, leave a message to get free consultation and quotation!
IOS
Android