Wormhole is a blockchain bridge used to transfer assets from one blockchain to another. For example, you can move assets between Solana and Ethereum.
On February 4, 2022, $320m worth of Ether got stolen.
Initially, the operators of Wormhole
Did not have any idea how the attack occurred
Offered $10m for the hackers to return the $320m in return for the money
Ultimately, Jump Crypto jumped in and replaced the missing funds, making the impacted parties whole again.
The Hack
@samczsun describes the vulnerability in his Twitter post the sequence of steps that were taken by the hacker to avoid the signature validation: the address of the signature verification function passed in was not verified allowing the hacker to bypass signature verification completely. The exploit:
The Hackers created their own version of the signature check
They created their own account with this dummy signature check
Passed this account to the signature check caller
The Wormhole code ultimately failed because it didn't validate all inputs.
How the hackers discovered the vulnerability
It seems that developers at Wormhole had already found the issue and created the fix. However, the fix had not been deployed. The hackers discovered the code patches and moved in quickly before the patch could be deployed.
Lessons
There are several takeaways:
When you make a fix, don't give hackers advance warning. For example, if you notice a flawed server configuration, take it down immediately, fix it (re-image it really), and then deploy it.
Cryptocurrency has very few technological oversights over the entire operational state. Banks have built in many checks and balancing mechanisms over the years to make sure the system has adequate oversight
There are very few standards that can be used to enforce DeFi systems are enforcing the best of breed oversight
Digital Wallets, blockchain bridges, store fronts that accept digital currency, etc. all have similar problems: no Overledger protection.