• rajesh273

320m Ether Heist due to exploit of a delayed signature check fix

Wormhole is a blockchain bridge used to transfer assets from one blockchain to another. For example, you can move assets between Solana and Ethereum.

On February 4, 2022, $320m worth of Ether got stolen.

Initially, the operators of Wormhole

  • Did not have any idea how the attack occurred

  • Offered $10m for the hackers to return the $320m in return for the money

Ultimately, Jump Crypto jumped in and replaced the missing funds, making the impacted parties whole again.


The Hack

@samczsun describes the vulnerability in his Twitter post the sequence of steps that were taken by the hacker to avoid the signature validation: the address of the signature verification function passed in was not verified allowing the hacker to bypass signature verification completely. The exploit:

  1. The Hackers created their own version of the signature check

  2. They created their own account with this dummy signature check

  3. Passed this account to the signature check caller

The Wormhole code ultimately failed because it didn't validate all inputs.


How the hackers discovered the vulnerability

It seems that developers at Wormhole had already found the issue and created the fix. However, the fix had not been deployed. The hackers discovered the code patches and moved in quickly before the patch could be deployed.


Lessons

There are several takeaways:

  1. When you make a fix, don't give hackers advance warning. For example, if you notice a flawed server configuration, take it down immediately, fix it (re-image it really), and then deploy it.

  2. Cryptocurrency has very few technological oversights over the entire operational state. Banks have built in many checks and balancing mechanisms over the years to make sure the system has adequate oversight

  3. There are very few standards that can be used to enforce DeFi systems are enforcing the best of breed oversight

  4. Digital Wallets, blockchain bridges, store fronts that accept digital currency, etc. all have similar problems: no Overledger protection.


10 views0 comments

Recent Posts

See All

The latest White House development in cryptocurrencies, Executive Order (EO)on Ensuring Responsible Development of Digital Assets, is geared towards bringing the world of blockchain in general, and c