On February 3, the Wormhole cross-chain protocol based on Solana was hacked.
A wormhole is a cross-chain messaging protocol that connects high-value blockchain networks.
The attackers took advantage of the exploit and withdrew 120,000 WETH from the project pool (over $319 million).
The wormhole network was exploited for 120k wETH.
ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly.
We are working to get the network back up quickly. Thanks for your patience.
— Wormhole🌪 (@wormholecrypto) February 2, 2022
The transaction can be seen here:
The developers later reported that the vulnerability was patched, and the team was working on getting the network back up as soon as possible.
CertiK explained that Wormhole smart contracts did not fully validate the input data, which allowed transactions to be initiated with incorrect variables. Thanks to this vulnerability, hackers withdraw 120k WETH to their address.
Certik Finding says:
“The attacker invoked the complete_wrapped instruction with the spoofed inputs `ctx`, `accs` and `data.`
The instruction does not perform complete verification on the correctness of the input `ctx,` `accs,` and `data.`
In this case, the spoofed data will be passed and processed. The mint authority for the Wormhole ETH is a PDA and will sign the “mint” instruction. Lastly, the “invoked_seeded instr” will be successfully triggered and mint Wormhole ETH to the attacker.”
In this case, the spoofed data will be passed and processed.
The mint authority for the Wormhole ETH is a PDA and will sign the “mint” instruction.
Lastly, the “invoked_seeded instr” will be successfully triggered and mint Wormhole ETH to the attacker. pic.twitter.com/YtoPZ2i5bo
— CertiK Security Leaderboard (@CertiKCommunity) February 3, 2022
Recall that in January 2022, the founder of Ethereum, Vitalik Buterin, called cross-chain bridges vulnerable due to problems related to the security of assets.