In the morning of February 3, Wormhole had to wake up to a distress call that announced the loss of 120,000 ETH. The attacker has managed to maximize a bug to transfer Ethers valued we’ll over 300 million dollars. Blames are shifted towards the version of solana_program, which failed to verify the addresses that used the cross-chain bridge. The platform is currently working towards maintaining the 1:1 ratio of ETH and wETH to get the network back online before the problem becomes persistent. The official website of Wormhole went offline ever since the attack.
Solana is one of the fastest-growing blockchain projects out there predicted to give even Ethereum a run for its money in the future. In 2020, Solana went to team up with Certus One to develop a bridge between SOL and ETH. This cross-chain bridge was named Wormhole and has since been operational on the Solana blockchain. However, several prominent personalities have expressed their dissatisfaction with the concept of cross-chain bridges. Even Vitalic Buterin from Ethereum, in a tweet from early January, said that the future should focus more on multi-chain connectivity instead of cross-chain bridges. Much to its dismay, Solana also suffered a 13.5% fall in the market today following this historic breach. You can learn more about the popular predictions for SOL price by clicking here.
Right after the attack, several tweets from the crypto community pointed out how even high-profile platforms fail to verify the addresses themselves and rely on external validators, like for the Secp256k program. A quick check into the attack proved that the attacker had access to the private keys. Since there is no way to access the keys without authorization, the obvious conclusion is that the bridge system was compromised during the attack.
The Wormhole bridge needs to wrap ETH coins to transfer them to other Ethereum-based blockchains. Apparently, this aspect of the cross-chain bridge has proved helpful for the attackers to transfer 120,000 ETH from Wormhole. The attacker seems to have used the complete_wrapped command, which can not be used without a valid VAA. The Wormhole compatible VAA account was created earlier, and the transactions from this account seem to have used the post_vaa command on the Wormhole Bridge. The attacker also used the signature set from the previous transactions to help validate this new request.
The verify_signatures packs the signatures from guardians into a signature set. Unfortunately, Wormhole does not complete verification on the platform. Rather it will be delegated to the Secp256k program. The solana_program::sysvar::instructions mod was supposed to complete the verification of the address. However, the version of the solana_program used by Wormhole did not verify the addresses. The attacker anticipated this and created his own instructions that imitated sysvar and substituted it for the sysvar instruction, thereby bypassing the whole system. Sysvars provide cluster state information such as current tick height, rewards points values, etc.