Wormhole Network Signature Validation Loophole: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
No edit summary
(Another 30 minutes complete. Prevention added and much more research.)
Line 1: Line 1:
{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/wormholenetworksignaturevalidationloophole.php}}
{{Case Study Under Construction}}{{Unattributed Sources}}
{{Unattributed Sources}}


[[File:Wormholenetwork.jpg|thumb|Wormhole Network]]Wormhole Finance is a decentralized bridge between multiple chains including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis. A decentralized network of 19 guardians secure the bridge. An attacker exploited a signature verification vulnerability in the smart contract hot wallet for the Ethereum to Solana bridge. This was used to mint 120k worth of wrapped ethereum, which was unwrapped to redeem for ethereum. The hackers were offered a $10m  bounty to return the funds, and a $10m bounty is available for any information to lead to their arrest or the return of the funds. So far the hackers have not responded.
[[File:Wormholenetwork.jpg|thumb|Wormhole Network]]Wormhole Finance is a decentralized bridge between multiple chains including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis. A decentralized network of 19 guardians secure the bridge. An attacker exploited a signature verification vulnerability in the smart contract hot wallet for the Ethereum to Solana bridge. This was used to mint 120k worth of wrapped ethereum, which was unwrapped to redeem for ethereum. The hackers were offered a $10m  bounty to return the funds, and a $10m bounty is available for any information to lead to their arrest or the return of the funds. So far the hackers have not responded.


This is a global/international case not involving a specific country.
This is a global/international case not involving a specific country.<ref name="cpomagazine-6445" /><ref name="wormholecryptomedium-6446" /><ref name="solanaexplorer-6447" /><ref name="coinmarketcapeth-4651" /><ref name="fooldotcom-6448" /><ref name="cbsnews-6449" /><ref name="wormholecryptotwitter-6450" /><ref name="cnbc-6451" /><ref name="theverge-6452" /><ref name="wormholecryptotwitter-6453" /><ref name="mjg59twitter-6454" /><ref name="reuters-6455" /><ref name="jumpcryptohqtwitter-6456" /><ref name="elliptic-6457" /><ref name="decrypt-6458" /><ref name="solscan-6459" /><ref name="samczsuntwitter-6460" /><ref name="arstechnica-6461" /><ref name="fortune-6462" /><ref name="cryptonews-6463" /><ref name="investopedia-6464" /><ref name="coindesk-6980" /><ref name="coinquora-7331" /><ref name="reddit-7412" /><ref name="cryptobriefing-7413" /><ref name="coinfyi-7414" /><ref name="pumpdumpcoin-7415" /><ref name="nextbigwhat-7416" /><ref name="cryptoslate-7417" /><ref name="redditold-9249" /><ref name="nytimes-9826" /><ref name="chainalysisblog-9828" />
<ref name="rektnews-6439" /><ref name="cryptopolitan-6431" /><ref name="cointelegraph-6440" /><ref name="wormholenetwork-6441" /><ref name="wormholenetwork-6442" /><ref name="wormholenetworkdocs-6443" /><ref name="youtube-6444" /><ref name="cpomagazine-6445" /><ref name="wormholecryptomedium-6446" /><ref name="solanaexplorer-6447" /><ref name="coinmarketcapeth-4651" /><ref name="fooldotcom-6448" /><ref name="cbsnews-6449" /><ref name="wormholecryptotwitter-6450" /><ref name="cnbc-6451" /><ref name="theverge-6452" /><ref name="wormholecryptotwitter-6453" /><ref name="mjg59twitter-6454" /><ref name="reuters-6455" /><ref name="jumpcryptohqtwitter-6456" /><ref name="elliptic-6457" /><ref name="decrypt-6458" /><ref name="solscan-6459" /><ref name="samczsuntwitter-6460" /><ref name="arstechnica-6461" /><ref name="fortune-6462" /><ref name="cryptonews-6463" /><ref name="investopedia-6464" /><ref name="coindesk-6980" /><ref name="coinquora-7331" /><ref name="reddit-7412" /><ref name="cryptobriefing-7413" /><ref name="coinfyi-7414" /><ref name="pumpdumpcoin-7415" /><ref name="nextbigwhat-7416" /><ref name="cryptoslate-7417" /><ref name="redditold-9249" /><ref name="nytimes-9826" /><ref name="chainalysisblog-9828" />


== About Wormhole Network ==
== About Wormhole Network ==
<ref name="wormholenetwork-6441" /><ref name="wormholenetwork-6442" /><ref name="wormholenetworkdocs-6443" /><ref name="youtube-6444" />
"The best of blockchains. Move information and value anywhere." "Wormhole is a generic message passing protocol that connects to multiple chains including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis." "The foundation that an ecosystem of apps is built on top of." "Apps can now live across chains at once and integrate the best of each."
"The best of blockchains. Move information and value anywhere." "Wormhole is a generic message passing protocol that connects to multiple chains including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis." "The foundation that an ecosystem of apps is built on top of." "Apps can now live across chains at once and integrate the best of each."


Line 22: Line 22:
"Chicago-based Jump Trading acquired Certus One, the developer behind Wormhole, in August [2021]."
"Chicago-based Jump Trading acquired Certus One, the developer behind Wormhole, in August [2021]."


== The Reality ==
"Wormhole had a loophole... A hacker distorted the fabric of Solana's space-time, netting $326M in the process. How did Wormhole return so much ETH so fast?" "The Wormhole network lost about $320 million in cryptocurrency funds after a novel vulnerability was exploited on February 2."
"As software developer Matthew Garrett observed on Twitter, the code upload was described as if it were a run-of-the-mill version update but actually contained extensive changes — a fact that could have tipped off the attacker to the fact that it was a disguised security fix."
"Look commits that claim to just be a version number bump and which then actually contain code are a fucking *huge* red flag that this is a security critical fix that you don't want to admit to."
"Open-source code commits show that code that would have fixed this vulnerability was written as early as January 13th and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application."
"Apparently, the vulnerability had already been detected and fixed in the code that interoperates between wormhole and Solana, but the fix had not yet been deployed to wormhole. This allowed the attacker to exploit vulnerable, deprecated code to accomplish their theft. This is reassuring in one way (the problem had already been detected and addressed) but disturbing in another (despite the available fix, the vulnerability was not blocked)."
== What Happened ==
"On Feb 2, 2022, an attacker exploited a signature verification vulnerability in the Wormhole network to mint 120k Wormhole-wrapped Ether on Solana. These tokens were not backed by Ether deposits on the Ethereum side of the Portal bridge. The attacker then bridged 93,750 of these tokens to Ethereum, withdrawing the unwrapped Ether from the contract."
"On Feb 2, 2022, an attacker exploited a signature verification vulnerability in the Wormhole network to mint 120k Wormhole-wrapped Ether on Solana. These tokens were not backed by Ether deposits on the Ethereum side of the Portal bridge. The attacker then bridged 93,750 of these tokens to Ethereum, withdrawing the unwrapped Ether from the contract."
"Open-source code commits show that code that would have fixed this vulnerability was written as early as January 13th and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application."
"The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience."
"[A] signature verification vulnerability was exploited. The perpetrator targeted wETH tokens on Solana that were not tied to Ethereum deposits, bridging them to Ether in order to steal them."
Wormhole, a bridge on the Solana network, was exploited by a hacker who managed to net $326 million. The attacker manipulated the bridge to credit 120,000 ETH as a deposit on Ethereum, allowing them to mint the equivalent in wrapped whETH (Wormhole ETH) on Solana. The exploit involved bypassing Wormhole's guardians, taking advantage of a discrepancy in the verification process, and fraudulently minting whETH. The hacker then bridged a portion of the stolen funds back to Ethereum, while liquidating the remaining whETH into USDC and SOL on Solana. The Wormhole team offered the hacker a bug bounty of $10 million to return the minted tokens, but there has been no response thus far. This incident highlights security concerns around cross-chain protocols and the risks associated with newer networks like Solana.<ref name="rektnews-6439" />
the Wormhole token bridge, which facilitates transfers between Ethereum and Solana, suffered a security exploit resulting in the loss of 120,000 wETH tokens (worth $321 million). It is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The hacker minted wETH on Solana and then redeemed a portion of it for ETH on Ethereum. Some of the stolen funds were used to purchase other cryptocurrencies. The Wormhole team has offered a $10 million bug bounty for the return of the funds. There are concerns that the bridge to Terra may also be vulnerable. This incident highlights the security risks associated with token bridges and the need for robust security measures in the crypto ecosystem. <ref name="cointelegraph-6440" /><ref name=":0">[https://web.archive.org/web/20220203012243/https://cointelegraph.com/news/wormhole-token-bridge-loses-321m-in-largest-hack-so-far-in-2022 Wormhole token bridge loses $321M in largest hack so far in 2022 - CoinTelegraph Archive February 2nd, 2022 6:22:43 PM MST] (Jul 14, 2023)</ref>
{| class="wikitable"
|+Key Event Timeline - Wormhole Network Signature Validation Loophole
!Date
!Event
!Description
|-
|February 2nd, 2022 11:24:13 AM MST
|Main Event
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
|-
|February 2nd, 2022 6:18:43 PM MST
|CoinTelegraph Article Published
|CoinTelegraph reports that the Wormhole token bridge, which facilitates transfers between Ethereum and Solana, suffered a security exploit resulting in the loss of 120,000 wETH tokens (worth $321 million). It is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The hacker minted wETH on Solana and then redeemed a portion of it for ETH on Ethereum. Some of the stolen funds were used to purchase other cryptocurrencies. The Wormhole team has offered a $10 million bug bounty for the return of the funds. There are concerns that the bridge to Terra may also be vulnerable. This incident highlights the security risks associated with token bridges and the need for robust security measures in the crypto ecosystem. <ref name="cointelegraph-6440" /><ref name=":0" />
|-
|February 3rd, 2022 9:07:00 AM MST
|Rekt Article Published
|Rekt reports that Wormhole, a bridge on the Solana network, was exploited by a hacker who managed to net $326 million<ref name="rektnews-6439" /><ref>[https://twitter.com/RektHQ/status/1489269408405102596 RektHQ - "Wormhole had a loophole… A hacker distorted the fabric of Solana's space-time, and netted $326M in the process. Less than 24 hours later, and the funds have been replaced. Where did @Wormholecrypto find $326M?" - Twitter] (Jul 14, 2023)</ref>. The attacker manipulated the bridge to credit 120,000 ETH as a deposit on Ethereum, allowing them to mint the equivalent in wrapped whETH (Wormhole ETH) on Solana. The exploit involved bypassing Wormhole's guardians, taking advantage of a discrepancy in the verification process, and fraudulently minting whETH. The hacker then bridged a portion of the stolen funds back to Ethereum, while liquidating the remaining whETH into USDC and SOL on Solana. The Wormhole team offered the hacker a bug bounty of $10 million to return the minted tokens, but there has been no response thus far. This incident highlights security concerns around cross-chain protocols and the risks associated with newer networks like Solana.
|}
== Technical Details ==
"On Feb 2, 2022, an attacker exploited a signature verification vulnerability in the Wormhole network to mint 120k Wormhole-wrapped Ether on Solana. These tokens were not backed by Ether deposits on the Ethereum side of the Portal bridge. The attacker then bridged 93,750 of these tokens to Ethereum, withdrawing the unwrapped Ether from the contract."


"Wormhole had a loophole... A hacker distorted the fabric of Solana's space-time, netting $326M in the process. How did Wormhole return so much ETH so fast?" "The Wormhole network lost about $320 million in cryptocurrency funds after a novel vulnerability was exploited on February 2."
"Wormhole had a loophole... A hacker distorted the fabric of Solana's space-time, netting $326M in the process. How did Wormhole return so much ETH so fast?" "The Wormhole network lost about $320 million in cryptocurrency funds after a novel vulnerability was exploited on February 2."


"The Wormhole hack exploited vulnerabilities in a novel element of crypto technology known as a cross-chain bridge, which allows investors to switch back and forth between digital currencies built on separate blockchains. Some DeFi platforms facilitate these conversions to help people capitalize on trading opportunities; a trader who owns lots of Ether, for example, might want to use an application on another currency’s blockchain without having to sell the Ether and buy the other currency." "This Meter hack took the shape of the previous Wormhole breach some days ago. In the attack, the hackers stole more than $320 million in wETH."
"The Wormhole hack exploited vulnerabilities in a novel element of crypto technology known as a cross-chain bridge, which allows investors to switch back and forth between digital currencies built on separate blockchains. Some DeFi platforms facilitate these conversions to help people capitalize on trading opportunities; a trader who owns lots of Ether, for example, might want to use an application on another currency’s blockchain without having to sell the Ether and buy the other currency." "This Meter hack took the shape of the previous Wormhole breach some days ago. In the attack, the hackers stole more than $320 million in wETH."


"[A] signature verification vulnerability was exploited. The perpetrator targeted wETH tokens on Solana that were not tied to Ethereum deposits, bridging them to Ether in order to steal them."
"[A] signature verification vulnerability was exploited. The perpetrator targeted wETH tokens on Solana that were not tied to Ethereum deposits, bridging them to Ether in order to steal them."
Line 35: Line 90:


"In a nutshell, the attacker forged the signature on a transaction in wormhole, then submitted the invalid transaction to the Solana (CRYPTO:SOL) network as a valid one, which allowed the fraudulent minting of a large number of ETH tokens on the Solana network. They then transferred many of those tokens to a digital wallet on the Ethereum network."
"In a nutshell, the attacker forged the signature on a transaction in wormhole, then submitted the invalid transaction to the Solana (CRYPTO:SOL) network as a valid one, which allowed the fraudulent minting of a large number of ETH tokens on the Solana network. They then transferred many of those tokens to a digital wallet on the Ethereum network."


"Apparently, the vulnerability had already been detected and fixed in the code that interoperates between wormhole and Solana, but the fix had not yet been deployed to wormhole. This allowed the attacker to exploit vulnerable, deprecated code to accomplish their theft. This is reassuring in one way (the problem had already been detected and addressed) but disturbing in another (despite the available fix, the vulnerability was not blocked)."
"Apparently, the vulnerability had already been detected and fixed in the code that interoperates between wormhole and Solana, but the fix had not yet been deployed to wormhole. This allowed the attacker to exploit vulnerable, deprecated code to accomplish their theft. This is reassuring in one way (the problem had already been detected and addressed) but disturbing in another (despite the available fix, the vulnerability was not blocked)."


"Open-source code commits show that code that would have fixed this vulnerability was written as early as January 13th and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application."
"Open-source code commits show that code that would have fixed this vulnerability was written as early as January 13th and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application."


"There has been a lot of confusion however how the Wormhole hack had happened. I want to [summarize] and explain how the hack worked, for non-technical audiences. To create wETH on their chain, Solana checks that there is a valid signature, and that the signature comes from a Guardian. Proper usage means there is a valid signature (Correct) from a guardian (Correct). These two conditions match, and so request is approved. They expected an attacker would issue an invalid signature (Incorrect) from a guardian (Correct). These two conditions do not match, so the request is denied. The hack The attacker issued an invalid signature (Incorrect) from a non-guardian (Incorrect). **But these conditions match: incorrect matches incorrect**. So the request is APPROVED (!!) and the ETH was stolen on the Solana network. The Ethereum network successfully processed a withdraw, because Solana told Ethereum "it's all good, this is legit", but Solana's logic for determining whether it is good was flawed."
"There has been a lot of confusion however how the Wormhole hack had happened. I want to [summarize] and explain how the hack worked, for non-technical audiences. To create wETH on their chain, Solana checks that there is a valid signature, and that the signature comes from a Guardian. Proper usage means there is a valid signature (Correct) from a guardian (Correct). These two conditions match, and so request is approved. They expected an attacker would issue an invalid signature (Incorrect) from a guardian (Correct). These two conditions do not match, so the request is denied. The hack The attacker issued an invalid signature (Incorrect) from a non-guardian (Incorrect). **But these conditions match: incorrect matches incorrect**. So the request is APPROVED (!!) and the ETH was stolen on the Solana network. The Ethereum network successfully processed a withdraw, because Solana told Ethereum "it's all good, this is legit", but Solana's logic for determining whether it is good was flawed."


"As software developer Matthew Garrett observed on Twitter, the code upload was described as if it were a run-of-the-mill version update but actually contained extensive changes — a fact that could have tipped off the attacker to the fact that it was a disguised security fix."


"Look commits that claim to just be a version number bump and which then actually contain code are a fucking *huge* red flag that this is a security critical fix that you don't want to admit to."
"The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward."
 
"The hacker then exchanged 93,750 wETH for Ethereum and changed the remainder for Solana, which they've left untouched in their Solana wallet."
 
"Due to the nature of cross-chain applications, the attack temporarily left a huge deficit between the amount of wrapped Ethereum and regular Ethereum held in the Wormhole bridge."
 
== Total Amount Lost ==
The total amount lost has been estimated at $321,942,000 USD.
 
"The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward."
 
"The hacker then exchanged 93,750 wETH for Ethereum and changed the remainder for Solana, which they've left untouched in their Solana wallet."
 
== Immediate Reactions ==


=== Protocol Taken Offline ===
"[A] post from the Wormhole Twitter account announced that the network was being taken “down for maintenance” while a potential exploit was investigated. A later post from Wormhole confirmed the hack and the amount stolen."
"[A] post from the Wormhole Twitter account announced that the network was being taken “down for maintenance” while a potential exploit was investigated. A later post from Wormhole confirmed the hack and the amount stolen."


"The wormhole network is down for maintenance as we look into a potential exploit. We will provide updates here as soon as we have them. Thank you for your patience."
"The wormhole network is down for maintenance as we look into a potential exploit. We will provide updates here as soon as we have them. Thank you for your patience."


"Due to the nature of cross-chain applications, the attack temporarily left a huge deficit between the amount of wrapped Ethereum and regular Ethereum held in the Wormhole bridge."
 


"The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward."
"The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward."


"The hacker then exchanged 93,750 wETH for Ethereum and changed the remainder for Solana, which they've left untouched in their Solana wallet."
"The hacker then exchanged 93,750 wETH for Ethereum and changed the remainder for Solana, which they've left untouched in their Solana wallet."


"To prevent further exploits, Wormhole node operators temporarily stopped relaying messages from on-chain contracts, then upgraded the contract to fix the vulnerability."
"To prevent further exploits, Wormhole node operators temporarily stopped relaying messages from on-chain contracts, then upgraded the contract to fix the vulnerability."
Line 60: Line 131:
"Jump Crypto has recapitalized the contract to ensure that all Wormhole-wrapped Ether on every chain is fully backed. The Wormhole network is back online and fully operational as of 13:29 UTC, Feb 3, 2022. The total duration of the incident was approximately 16 hours."
"Jump Crypto has recapitalized the contract to ensure that all Wormhole-wrapped Ether on every chain is fully backed. The Wormhole network is back online and fully operational as of 13:29 UTC, Feb 3, 2022. The total duration of the incident was approximately 16 hours."


"The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience."
=== Bug Bounty For Attacker ===
"Certus One contacted the hacker(s) as soon as the software problem was fixed, offering them a $10 million bug bounty if they work collaboratively to restore the stolen ETH. There is also a $10 million reward available to anyone else who can provide details that lead to the arrest and conviction of the hacker."
 
"Similar to previous large-scale DeFi hacks, potential victims and donation-seekers have begun to send the hacker on-chain messages through Ethereum transactions. These have ranged from small transfers of worthless tokens or those seeking donations using blockchain names such as “hackerplsdonate.eth” to get the hacker’s attention. One individual claimed to have lost $100,000 in the hack."
 
== Ultimate Outcome ==
 


"Wormhole says that the vulnerability has been patched and that all funds have been restored, and that the project will be backing funds one-for-one with Ether going forward." "This incident was deeply problematic, since it resulted in exploitation and financial losses to the company that released the software, but investor funds have been restored."
"Wormhole says that the vulnerability has been patched and that all funds have been restored, and that the project will be backing funds one-for-one with Ether going forward." "This incident was deeply problematic, since it resulted in exploitation and financial losses to the company that released the software, but investor funds have been restored."


"Certus One contacted the hacker(s) as soon as the software problem was fixed, offering them a $10 million bug bounty if they work collaboratively to restore the stolen ETH. There is also a $10 million reward available to anyone else who can provide details that lead to the arrest and conviction of the hacker."
 
"The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience."
 


"The company is also offering a bounty of $10 million for information leading to the arrest of the responsible party or recovery of the stolen funds, and has announced that it will be launching an ongoing bug bounty program on Immunefi sometime this month that will offer maximum bounties of $3.5 million for disclosure of new vulnerabilities."
"The company is also offering a bounty of $10 million for information leading to the arrest of the responsible party or recovery of the stolen funds, and has announced that it will be launching an ongoing bug bounty program on Immunefi sometime this month that will offer maximum bounties of $3.5 million for disclosure of new vulnerabilities."
Line 70: Line 149:
"A $10,000,000 reward is offered for any information leading to the arrest and conviction of those responsible for the hack of Wormhole on February 2, 2022, or the recovery of the stolen assets. The $10,000,000 whitehat offer remains open for the timely return of the funds."
"A $10,000,000 reward is offered for any information leading to the arrest and conviction of those responsible for the hack of Wormhole on February 2, 2022, or the recovery of the stolen assets. The $10,000,000 whitehat offer remains open for the timely return of the funds."


"Similar to previous large-scale DeFi hacks, potential victims and donation-seekers have begun to send the hacker on-chain messages through Ethereum transactions. These have ranged from small transfers of worthless tokens or those seeking donations using blockchain names such as “hackerplsdonate.eth” to get the hacker’s attention. One individual claimed to have lost $100,000 in the hack."


"As hacks go, this one was handled quickly, and because the ETH tokens were replaced by Jump Trading, no investor funds were lost."
"As hacks go, this one was handled quickly, and because the ETH tokens were replaced by Jump Trading, no investor funds were lost."


This is a global/international case not involving a specific country.
== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.


The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.


Include:
"As hacks go, this one was handled quickly, and because the ETH tokens were replaced by Jump Trading, no investor funds were lost."


* Known history of when and how the service was started.
"The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience."
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.


Don't Include:
== Ongoing Developments ==
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
What parts of this case are still remaining to be concluded?
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.


== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:


* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.


== What Happened ==
"Wormhole says that the vulnerability has been patched and that all funds have been restored, and that the project will be backing funds one-for-one with Ether going forward." "This incident was deeply problematic, since it resulted in exploitation and financial losses to the company that released the software, but investor funds have been restored."
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - Wormhole Network Signature Validation Loophole
!Date
!Event
!Description
|-
|February 2nd, 2022 11:24:13 AM MST
|Main Event
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
|-
|
|
|
|}


== Total Amount Lost ==
The total amount lost has been estimated at $321,942,000 USD.


How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?


== Immediate Reactions ==
"Certus One contacted the hacker(s) as soon as the software problem was fixed, offering them a $10 million bug bounty if they work collaboratively to restore the stolen ETH. There is also a $10 million reward available to anyone else who can provide details that lead to the arrest and conviction of the hacker."
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


== Ultimate Outcome ==
"The company is also offering a bounty of $10 million for information leading to the arrest of the responsible party or recovery of the stolen funds, and has announced that it will be launching an ongoing bug bounty program on Immunefi sometime this month that will offer maximum bounties of $3.5 million for disclosure of new vulnerabilities."
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?


== Total Amount Recovered ==
"A $10,000,000 reward is offered for any information leading to the arrest and conviction of those responsible for the hack of Wormhole on February 2, 2022, or the recovery of the stolen assets. The $10,000,000 whitehat offer remains open for the timely return of the funds."
There do not appear to have been any funds recovered in this case.


What funds were recovered? What funds were reimbursed for those affected users?
== Individual Prevention Policies ==
Individuals need to exercise care in ensuring that funds are only stored with platforms that have undergone proper validation for security. The majority of funds should be stored securely offline.


== Ongoing Developments ==
{{Prevention:Individuals:Safe Smart Contract Usage}}
What parts of this case are still remaining to be concluded?
== General Prevention Policies ==
In general, complex smart contract hot wallets shouldn't be in charge of minting. Instead, this should always be the responsibility of a simple multi-sig wallet with cold storage keys held by trusted individuals. If a hot wallet is needed for distribution, that should be audited by two competent firms and never exceed a value which the project can self-insure from other liquid assets.


== Individual Prevention Policies ==
{{Prevention:Individuals:Store Funds Offline}}
{{Prevention:Individuals:Placeholder}}


{{Prevention:Individuals:End}}
{{Prevention:Individuals:End}}


== Platform Prevention Policies ==
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}
Further validation prior to launch would likely have caught the issue. (In fact, it was known already at the time of the exploit.) While a platform is still under development, most funds could be stored in a multi-signature treasury, limiting the amount which would be able to be stolen. An industry insurance fund could be effective at providing relief for victims.


{{Prevention:Platforms:End}}
{{Prevention:Platforms:Regular Audit Procedures}}


== Regulatory Prevention Policies ==
{{Prevention:Platforms:Implement Multi-Signature}}
{{Prevention:Regulators:Placeholder}}


{{Prevention:Regulators:End}}
{{Prevention:Platforms:Establish Industry Insurance Fund}}


== References ==
{{Prevention:Platforms:End}}
<references><ref name="rektnews-6439">[https://rekt.news/wormhole-rekt/ Rekt - Wormhole - REKT] (Feb 8, 2022)</ref>


<ref name="cryptopolitan-6431">[https://www.cryptopolitan.com/meter-loses-4-million-in-latest-defi-breach/ https://www.cryptopolitan.com/meter-loses-4-million-in-latest-defi-breach/] (Feb 14, 2022)</ref>
== Regulatory Prevention Policies ==
Further validation prior to launch would likely have caught the issue. (In fact, it was known already at the time of the exploit.) An industry insurance fund could be effective at providing relief for victims.


<ref name="cointelegraph-6440">[https://cointelegraph.com/news/wormhole-token-bridge-loses-321m-in-largest-hack-so-far-in-2022 Wormhole token bridge loses $321M in largest hack so far in 2022] (Feb 14, 2022)</ref>
{{Prevention:Regulators:Platform Security Assessments}}


<ref name="wormholenetwork-6441">[https://wormholenetwork.com/ https://wormholenetwork.com/] (Feb 15, 2022)</ref>
{{Prevention:Regulators:Establish Industry Insurance Fund}}


<ref name="wormholenetwork-6442">[https://wormholenetwork.com/buidl/ https://wormholenetwork.com/buidl/] (Feb 15, 2022)</ref>
{{Prevention:Regulators:End}}


== References ==
<references>
<ref name="rektnews-6439">[https://rekt.news/wormhole-rekt/ Rekt - Wormhole - REKT] (Feb 8, 2022)</ref>
<ref name="cryptopolitan-6431">https://www.cryptopolitan.com/meter-loses-4-million-in-latest-defi-breach/ (Feb 14, 2022)</ref>
<ref name="cointelegraph-6440">[https://cointelegraph.com/news/wormhole-token-bridge-loses-321m-in-largest-hack-so-far-in-2022 Wormhole token bridge loses $321M in largest hack so far in 2022 - CoinTelegraph] (Feb 14, 2022)</ref>
<ref name="wormholenetwork-6441">https://wormholenetwork.com/ (Feb 15, 2022)</ref>
<ref name="wormholenetwork-6442">https://wormholenetwork.com/buidl/ (Feb 15, 2022)</ref>
<ref name="wormholenetworkdocs-6443">[https://docs.wormholenetwork.com/wormhole/ Introduction - Wormhole] (Feb 15, 2022)</ref>
<ref name="wormholenetworkdocs-6443">[https://docs.wormholenetwork.com/wormhole/ Introduction - Wormhole] (Feb 15, 2022)</ref>
<ref name="youtube-6444">[https://www.youtube.com/watch?v=ngnWF5widJU The Wormhole Crypto Network Explained - YouTube] (Feb 15, 2022)</ref>
<ref name="youtube-6444">[https://www.youtube.com/watch?v=ngnWF5widJU The Wormhole Crypto Network Explained - YouTube] (Feb 15, 2022)</ref>
 
<ref name="cpomagazine-6445">https://www.cpomagazine.com/cyber-security/defi-project-hacked-for-320-million-in-crypto-wormhole-network-compromised-by-previously-unknown-vulnerability/ (Feb 15, 2022)</ref>
<ref name="cpomagazine-6445">[https://www.cpomagazine.com/cyber-security/defi-project-hacked-for-320-million-in-crypto-wormhole-network-compromised-by-previously-unknown-vulnerability/ https://www.cpomagazine.com/cyber-security/defi-project-hacked-for-320-million-in-crypto-wormhole-network-compromised-by-previously-unknown-vulnerability/] (Feb 15, 2022)</ref>
 
<ref name="wormholecryptomedium-6446">[https://wormholecrypto.medium.com/wormhole-incident-report-02-02-22-ad9b8f21eec6 Wormhole Incident Report 02 02 22] (Feb 15, 2022)</ref>
<ref name="wormholecryptomedium-6446">[https://wormholecrypto.medium.com/wormhole-incident-report-02-02-22-ad9b8f21eec6 Wormhole Incident Report 02 02 22] (Feb 15, 2022)</ref>
<ref name="solanaexplorer-6447">[https://explorer.solana.com/tx/2zCz2GgSoSS68eNJENWrYB48dMM1zmH8SZkgYneVDv2G4gRsVfwu5rNXtK5BKFxn7fSqX9BvrBc1rdPAeBEcD6Es Explorer | Solana] (Feb 15, 2022)</ref>
<ref name="solanaexplorer-6447">[https://explorer.solana.com/tx/2zCz2GgSoSS68eNJENWrYB48dMM1zmH8SZkgYneVDv2G4gRsVfwu5rNXtK5BKFxn7fSqX9BvrBc1rdPAeBEcD6Es Explorer | Solana] (Feb 15, 2022)</ref>
 
<ref name="coinmarketcapeth-4651">https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21, 2021)</ref>
<ref name="coinmarketcapeth-4651">[https://coinmarketcap.com/currencies/ethereum/historical-data/ https://coinmarketcap.com/currencies/ethereum/historical-data/] (Dec 21, 2021)</ref>
 
<ref name="fooldotcom-6448">[https://www.fool.com/investing/2022/02/08/the-wormhole-hack-was-a-close-call-for-investors/ The Wormhole Hack Was a Close Call for Investors | The Motley Fool] (Feb 15, 2022)</ref>
<ref name="fooldotcom-6448">[https://www.fool.com/investing/2022/02/08/the-wormhole-hack-was-a-close-call-for-investors/ The Wormhole Hack Was a Close Call for Investors | The Motley Fool] (Feb 15, 2022)</ref>
<ref name="cbsnews-6449">[https://www.cbsnews.com/news/wormhole-ether-cryptocurrency-320-million-hack/ Cryptocurrency platform Wormhole restores funds after suffering $320 million hack - CBS News] (Feb 15, 2022)</ref>
<ref name="cbsnews-6449">[https://www.cbsnews.com/news/wormhole-ether-cryptocurrency-320-million-hack/ Cryptocurrency platform Wormhole restores funds after suffering $320 million hack - CBS News] (Feb 15, 2022)</ref>
<ref name="wormholecryptotwitter-6450">[https://twitter.com/wormholecrypto/status/1489001949881978883 @wormholecrypto Twitter] (Feb 15, 2022)</ref>
<ref name="wormholecryptotwitter-6450">[https://twitter.com/wormholecrypto/status/1489001949881978883 @wormholecrypto Twitter] (Feb 15, 2022)</ref>
 
<ref name="cnbc-6451">https://www.cnbc.com/video/2022/02/07/wormhole-network-hack-named-fourth-biggest-crypto-hack-of-all-time.html (Feb 15, 2022)</ref>
<ref name="cnbc-6451">[https://www.cnbc.com/video/2022/02/07/wormhole-network-hack-named-fourth-biggest-crypto-hack-of-all-time.html https://www.cnbc.com/video/2022/02/07/wormhole-network-hack-named-fourth-biggest-crypto-hack-of-all-time.html] (Feb 15, 2022)</ref>
 
<ref name="theverge-6452">[https://www.theverge.com/2022/2/3/22916111/wormhole-hack-github-error-325-million-theft-ethereum-solana Wormhole cryptocurrency platform hacked for $325 million after error on GitHub - The Verge] (Feb 15, 2022)</ref>
<ref name="theverge-6452">[https://www.theverge.com/2022/2/3/22916111/wormhole-hack-github-error-325-million-theft-ethereum-solana Wormhole cryptocurrency platform hacked for $325 million after error on GitHub - The Verge] (Feb 15, 2022)</ref>
<ref name="wormholecryptotwitter-6453">[https://twitter.com/wormholecrypto/status/1488976115750383626 @wormholecrypto Twitter] (Feb 15, 2022)</ref>
<ref name="wormholecryptotwitter-6453">[https://twitter.com/wormholecrypto/status/1488976115750383626 @wormholecrypto Twitter] (Feb 15, 2022)</ref>
<ref name="mjg59twitter-6454">[https://twitter.com/mjg59/status/1489065444635938819 @mjg59 Twitter] (Feb 15, 2022)</ref>
<ref name="mjg59twitter-6454">[https://twitter.com/mjg59/status/1489065444635938819 @mjg59 Twitter] (Feb 15, 2022)</ref>
<ref name="reuters-6455">[https://www.reuters.com/technology/crypto-network-wormhole-hit-with-possible-320-mln-hack-2022-02-03/ Jump Trading replaces stolen Wormhole funds after $320 mln crypto hack | Reuters] (Feb 15, 2022)</ref>
<ref name="reuters-6455">[https://www.reuters.com/technology/crypto-network-wormhole-hit-with-possible-320-mln-hack-2022-02-03/ Jump Trading replaces stolen Wormhole funds after $320 mln crypto hack | Reuters] (Feb 15, 2022)</ref>
<ref name="jumpcryptohqtwitter-6456">[https://twitter.com/JumpCryptoHQ/status/1489301013408497666 @JumpCryptoHQ Twitter] (Feb 15, 2022)</ref>
<ref name="jumpcryptohqtwitter-6456">[https://twitter.com/JumpCryptoHQ/status/1489301013408497666 @JumpCryptoHQ Twitter] (Feb 15, 2022)</ref>
<ref name="elliptic-6457">[https://www.elliptic.co/blog/325-million-stolen-from-wormhole-defi-service $325 Million Stolen from Wormhole DeFi Service] (Feb 15, 2022)</ref>
<ref name="elliptic-6457">[https://www.elliptic.co/blog/325-million-stolen-from-wormhole-defi-service $325 Million Stolen from Wormhole DeFi Service] (Feb 15, 2022)</ref>
<ref name="decrypt-6458">[https://decrypt.co/91962/crypto-bridge-wormhole-replenished-after-hack-320m-ethereum Crypto Bridge Wormhole Replenished After Hack for $320M in Ethereum - Decrypt] (Feb 15, 2022)</ref>
<ref name="decrypt-6458">[https://decrypt.co/91962/crypto-bridge-wormhole-replenished-after-hack-320m-ethereum Crypto Bridge Wormhole Replenished After Hack for $320M in Ethereum - Decrypt] (Feb 15, 2022)</ref>
<ref name="solscan-6459">[https://solscan.io/account/CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka Solscan] (Feb 15, 2022)</ref>
<ref name="solscan-6459">[https://solscan.io/account/CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka Solscan] (Feb 15, 2022)</ref>
<ref name="samczsuntwitter-6460">[https://twitter.com/samczsun/status/1489044939732406275 @samczsun Twitter] (Feb 15, 2022)</ref>
<ref name="samczsuntwitter-6460">[https://twitter.com/samczsun/status/1489044939732406275 @samczsun Twitter] (Feb 15, 2022)</ref>
<ref name="arstechnica-6461">[https://arstechnica.com/information-technology/2022/02/how-323-million-in-crypto-was-stolen-from-a-blockchain-bridge-called-wormhole/ How $323M in crypto was stolen from a blockchain bridge called Wormhole | Ars Technica] (Feb 15, 2022)</ref>
<ref name="arstechnica-6461">[https://arstechnica.com/information-technology/2022/02/how-323-million-in-crypto-was-stolen-from-a-blockchain-bridge-called-wormhole/ How $323M in crypto was stolen from a blockchain bridge called Wormhole | Ars Technica] (Feb 15, 2022)</ref>
 
<ref name="fortune-6462">https://fortune.com/2022/02/03/hackers-steal-320-million-crypto-wrapped-ether-wormhole-defi-project/ (Feb 15, 2022)</ref>
<ref name="fortune-6462">[https://fortune.com/2022/02/03/hackers-steal-320-million-crypto-wrapped-ether-wormhole-defi-project/ https://fortune.com/2022/02/03/hackers-steal-320-million-crypto-wrapped-ether-wormhole-defi-project/] (Feb 15, 2022)</ref>
 
<ref name="cryptonews-6463">[https://cryptonews.com/videos/wormhole-network-hack-named-fourth-biggest-crypto-hack-of-all-time.htm Wormhole Network Hack Named Fourth Biggest Crypto Hack of All Time] (Feb 15, 2022)</ref>
<ref name="cryptonews-6463">[https://cryptonews.com/videos/wormhole-network-hack-named-fourth-biggest-crypto-hack-of-all-time.htm Wormhole Network Hack Named Fourth Biggest Crypto Hack of All Time] (Feb 15, 2022)</ref>
<ref name="investopedia-6464">[https://www.investopedia.com/crypto-theft-of-usd320-million-wormhole-hack-5218062 Crypto Worth Over $320 Million Taken in Wormhole Hack] (Feb 15, 2022)</ref>
<ref name="investopedia-6464">[https://www.investopedia.com/crypto-theft-of-usd320-million-wormhole-hack-5218062 Crypto Worth Over $320 Million Taken in Wormhole Hack] (Feb 15, 2022)</ref>
<ref name="coindesk-6980">[https://www.coindesk.com/layer2/2022/02/03/calling-a-hack-an-exploit-minimizes-human-error/ Calling a Hack an Exploit Minimizes Human Error] (Mar 10, 2022)</ref>
<ref name="coindesk-6980">[https://www.coindesk.com/layer2/2022/02/03/calling-a-hack-an-exploit-minimizes-human-error/ Calling a Hack an Exploit Minimizes Human Error] (Mar 10, 2022)</ref>
<ref name="coinquora-7331">[https://coinquora.com/wormhole-network-faces-exploit-loses-216-million-to-hackers/ Wormhole Network Faces Exploit, Loses $216 Million to Hackers - CoinQuora] (Mar 20, 2022)</ref>
<ref name="coinquora-7331">[https://coinquora.com/wormhole-network-faces-exploit-loses-216-million-to-hackers/ Wormhole Network Faces Exploit, Loses $216 Million to Hackers - CoinQuora] (Mar 20, 2022)</ref>
<ref name="reddit-7412">[https://www.reddit.com/r/Buttcoin/comments/tgatok/technology_of_the_future/ Technology of the future : Buttcoin] (Mar 23, 2022)</ref>
<ref name="reddit-7412">[https://www.reddit.com/r/Buttcoin/comments/tgatok/technology_of_the_future/ Technology of the future : Buttcoin] (Mar 23, 2022)</ref>
<ref name="cryptobriefing-7413">[https://cryptobriefing.com/solana-suffers-dip-following-322m-wormhole-hack/ Solana Suffers Dip Following $322M Wormhole Hack - Crypto Briefing] (Mar 23, 2022)</ref>
<ref name="cryptobriefing-7413">[https://cryptobriefing.com/solana-suffers-dip-following-322m-wormhole-hack/ Solana Suffers Dip Following $322M Wormhole Hack - Crypto Briefing] (Mar 23, 2022)</ref>
 
<ref name="coinfyi-7414">https://coin.fyi/news/solana/here-s-how-98k-eth-was-stolen-on-solana-explained-like-you-re-five-sj7ba7 (Mar 23, 2022)</ref>
<ref name="coinfyi-7414">[https://coin.fyi/news/solana/here-s-how-98k-eth-was-stolen-on-solana-explained-like-you-re-five-sj7ba7 https://coin.fyi/news/solana/here-s-how-98k-eth-was-stolen-on-solana-explained-like-you-re-five-sj7ba7] (Mar 23, 2022)</ref>
 
<ref name="pumpdumpcoin-7415">[https://pumpdumpcoin.com/forums/topic/heres-how-98k-eth-was-stolen-on-solana-explained-like-youre-five/ <nowiki>Ethereum [ETH]: Here's How 98k ETH Was Stolen On Solana, Explained Like You're Five - PumpDumpCoin.com</nowiki>] (Mar 23, 2022)</ref>
<ref name="pumpdumpcoin-7415">[https://pumpdumpcoin.com/forums/topic/heres-how-98k-eth-was-stolen-on-solana-explained-like-youre-five/ <nowiki>Ethereum [ETH]: Here's How 98k ETH Was Stolen On Solana, Explained Like You're Five - PumpDumpCoin.com</nowiki>] (Mar 23, 2022)</ref>
<ref name="nextbigwhat-7416">[https://nextbigwhat.com/heres-how-98k-eth-was-stolen-on-solana/ Here's how 98k ETH was stolen on Solana] (Mar 23, 2022)</ref>
<ref name="nextbigwhat-7416">[https://nextbigwhat.com/heres-how-98k-eth-was-stolen-on-solana/ Here's how 98k ETH was stolen on Solana] (Mar 23, 2022)</ref>
<ref name="cryptoslate-7417">[https://cryptoslate.com/solanas-wormhole-bridge-gets-hacked-for-80k-eth/ Solana's Wormhole bridge gets hacked for $200 million (80K ETH) | CryptoSlate] (Mar 23, 2022)</ref>
<ref name="cryptoslate-7417">[https://cryptoslate.com/solanas-wormhole-bridge-gets-hacked-for-80k-eth/ Solana's Wormhole bridge gets hacked for $200 million (80K ETH) | CryptoSlate] (Mar 23, 2022)</ref>
<ref name="redditold-9249">[https://old.reddit.com/r/CryptoCurrency/comments/sk2rg0/the_320m_wormhole_hack_was_replenished_by_jump/ The $320m Wormhole hack was "replenished" by Jump Capital, an institutional trading desk/market maker (similar to Citadel) without any questions. This shows the entire Solana ecosystem is just a sham propped up by institutional entities : Cry...] (Oct 12, 2022)</ref>
<ref name="redditold-9249">[https://old.reddit.com/r/CryptoCurrency/comments/sk2rg0/the_320m_wormhole_hack_was_replenished_by_jump/ The $320m Wormhole hack was "replenished" by Jump Capital, an institutional trading desk/market maker (similar to Citadel) without any questions. This shows the entire Solana ecosystem is just a sham propped up by institutional entities : Cry...] (Oct 12, 2022)</ref>
<ref name="nytimes-9826">[https://www.nytimes.com/2022/09/28/technology/crypto-hacks-defi.html The Crypto World Is on Edge After a String of Hacks - The New York Times] (Nov 30, 2022)</ref>
<ref name="nytimes-9826">[https://www.nytimes.com/2022/09/28/technology/crypto-hacks-defi.html The Crypto World Is on Edge After a String of Hacks - The New York Times] (Nov 30, 2022)</ref>
 
<ref name="chainalysisblog-9828">[https://blog.chainalysis.com/reports/wormhole-hack-february-2022/ Wormhole Hack: Lessons From The Wormhole Exploit] (Nov 30, 2022)</ref>
<ref name="chainalysisblog-9828">[https://blog.chainalysis.com/reports/wormhole-hack-february-2022/ Wormhole Hack: Lessons From The Wormhole Exploit] (Nov 30, 2022)</ref></references>
</references>

Revision as of 14:28, 14 July 2023

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Wormhole Network

Wormhole Finance is a decentralized bridge between multiple chains including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis. A decentralized network of 19 guardians secure the bridge. An attacker exploited a signature verification vulnerability in the smart contract hot wallet for the Ethereum to Solana bridge. This was used to mint 120k worth of wrapped ethereum, which was unwrapped to redeem for ethereum. The hackers were offered a $10m bounty to return the funds, and a $10m bounty is available for any information to lead to their arrest or the return of the funds. So far the hackers have not responded.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32]

About Wormhole Network

[33][34][35][36]

"The best of blockchains. Move information and value anywhere." "Wormhole is a generic message passing protocol that connects to multiple chains including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Oasis." "The foundation that an ecosystem of apps is built on top of." "Apps can now live across chains at once and integrate the best of each."

"Wormhole SDK integrates your project with our generic messaging layer. Wormhole SDK makes it easier than ever for teams, apps, protocols, and users to move value seamlessly across networks without fees." "Six high-value networks, two centralized exchanges, and 19 dexes. Anyone in the community can add new networks to the protocol and build the future of blockchain."

"Wormhole is built to be trust-minimized from the ground up with a group of six networks secured by 19 equally weighted guardians in the core layer." "Send your message to Wormhole. The Guardian network observes the transaction. Quorum is achieved in seconds. Guardians make your attested message publicly available. Access your message on a different chain."

"Wormhole is a decentralized, cross-chain message passing protocol. It enables applications to send messages from one chain to another. The network is operated by a decentralized group of nineteen Guardians who sign each transmitted message to attest to its authenticity. The protocol uses a multi-party signature system where a message is treated as authentic if ⅔+ of the Guardians have signed it."

"Portal is a token bridge constructed on top of the Wormhole network. Portal enables users to deposit funds into a contract on a source chain, then mint a Wormhole-wrapped version of the token on a destination chain. The minting function requires a Wormhole-authenticated message from the source chain contract. This check ensures that Wormhole-wrapped tokens are backed 1:1 by tokens in the source chain contract."

"The Guardians are also responsible for governing the Wormhole network. Upgrades to the protocol and contracts require a supermajority vote of Guardians."

"Chicago-based Jump Trading acquired Certus One, the developer behind Wormhole, in August [2021]."


The Reality

"Wormhole had a loophole... A hacker distorted the fabric of Solana's space-time, netting $326M in the process. How did Wormhole return so much ETH so fast?" "The Wormhole network lost about $320 million in cryptocurrency funds after a novel vulnerability was exploited on February 2."


"As software developer Matthew Garrett observed on Twitter, the code upload was described as if it were a run-of-the-mill version update but actually contained extensive changes — a fact that could have tipped off the attacker to the fact that it was a disguised security fix."

"Look commits that claim to just be a version number bump and which then actually contain code are a fucking *huge* red flag that this is a security critical fix that you don't want to admit to."

"Open-source code commits show that code that would have fixed this vulnerability was written as early as January 13th and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application."

"Apparently, the vulnerability had already been detected and fixed in the code that interoperates between wormhole and Solana, but the fix had not yet been deployed to wormhole. This allowed the attacker to exploit vulnerable, deprecated code to accomplish their theft. This is reassuring in one way (the problem had already been detected and addressed) but disturbing in another (despite the available fix, the vulnerability was not blocked)."

What Happened

"On Feb 2, 2022, an attacker exploited a signature verification vulnerability in the Wormhole network to mint 120k Wormhole-wrapped Ether on Solana. These tokens were not backed by Ether deposits on the Ethereum side of the Portal bridge. The attacker then bridged 93,750 of these tokens to Ethereum, withdrawing the unwrapped Ether from the contract."

"Open-source code commits show that code that would have fixed this vulnerability was written as early as January 13th and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application."

"The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience."

"[A] signature verification vulnerability was exploited. The perpetrator targeted wETH tokens on Solana that were not tied to Ethereum deposits, bridging them to Ether in order to steal them."


Wormhole, a bridge on the Solana network, was exploited by a hacker who managed to net $326 million. The attacker manipulated the bridge to credit 120,000 ETH as a deposit on Ethereum, allowing them to mint the equivalent in wrapped whETH (Wormhole ETH) on Solana. The exploit involved bypassing Wormhole's guardians, taking advantage of a discrepancy in the verification process, and fraudulently minting whETH. The hacker then bridged a portion of the stolen funds back to Ethereum, while liquidating the remaining whETH into USDC and SOL on Solana. The Wormhole team offered the hacker a bug bounty of $10 million to return the minted tokens, but there has been no response thus far. This incident highlights security concerns around cross-chain protocols and the risks associated with newer networks like Solana.[37]


the Wormhole token bridge, which facilitates transfers between Ethereum and Solana, suffered a security exploit resulting in the loss of 120,000 wETH tokens (worth $321 million). It is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The hacker minted wETH on Solana and then redeemed a portion of it for ETH on Ethereum. Some of the stolen funds were used to purchase other cryptocurrencies. The Wormhole team has offered a $10 million bug bounty for the return of the funds. There are concerns that the bridge to Terra may also be vulnerable. This incident highlights the security risks associated with token bridges and the need for robust security measures in the crypto ecosystem. [38][39]

Key Event Timeline - Wormhole Network Signature Validation Loophole
Date Event Description
February 2nd, 2022 11:24:13 AM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
February 2nd, 2022 6:18:43 PM MST CoinTelegraph Article Published CoinTelegraph reports that the Wormhole token bridge, which facilitates transfers between Ethereum and Solana, suffered a security exploit resulting in the loss of 120,000 wETH tokens (worth $321 million). It is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The hacker minted wETH on Solana and then redeemed a portion of it for ETH on Ethereum. Some of the stolen funds were used to purchase other cryptocurrencies. The Wormhole team has offered a $10 million bug bounty for the return of the funds. There are concerns that the bridge to Terra may also be vulnerable. This incident highlights the security risks associated with token bridges and the need for robust security measures in the crypto ecosystem. [38][39]
February 3rd, 2022 9:07:00 AM MST Rekt Article Published Rekt reports that Wormhole, a bridge on the Solana network, was exploited by a hacker who managed to net $326 million[37][40]. The attacker manipulated the bridge to credit 120,000 ETH as a deposit on Ethereum, allowing them to mint the equivalent in wrapped whETH (Wormhole ETH) on Solana. The exploit involved bypassing Wormhole's guardians, taking advantage of a discrepancy in the verification process, and fraudulently minting whETH. The hacker then bridged a portion of the stolen funds back to Ethereum, while liquidating the remaining whETH into USDC and SOL on Solana. The Wormhole team offered the hacker a bug bounty of $10 million to return the minted tokens, but there has been no response thus far. This incident highlights security concerns around cross-chain protocols and the risks associated with newer networks like Solana.

Technical Details

"On Feb 2, 2022, an attacker exploited a signature verification vulnerability in the Wormhole network to mint 120k Wormhole-wrapped Ether on Solana. These tokens were not backed by Ether deposits on the Ethereum side of the Portal bridge. The attacker then bridged 93,750 of these tokens to Ethereum, withdrawing the unwrapped Ether from the contract."


"Wormhole had a loophole... A hacker distorted the fabric of Solana's space-time, netting $326M in the process. How did Wormhole return so much ETH so fast?" "The Wormhole network lost about $320 million in cryptocurrency funds after a novel vulnerability was exploited on February 2."

"The Wormhole hack exploited vulnerabilities in a novel element of crypto technology known as a cross-chain bridge, which allows investors to switch back and forth between digital currencies built on separate blockchains. Some DeFi platforms facilitate these conversions to help people capitalize on trading opportunities; a trader who owns lots of Ether, for example, might want to use an application on another currency’s blockchain without having to sell the Ether and buy the other currency." "This Meter hack took the shape of the previous Wormhole breach some days ago. In the attack, the hackers stole more than $320 million in wETH."


"[A] signature verification vulnerability was exploited. The perpetrator targeted wETH tokens on Solana that were not tied to Ethereum deposits, bridging them to Ether in order to steal them."

“The theft was allowed because of a rather common programming error. The function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened. So there was no integrity guaranteed in the integrity check.”

"The hackers pulled off the theft by using an earlier transaction to create a signatureset, which is a type of credential. With this, they created a VAA, or validator action approval, which is essentially a certificate needed for approving transactions."

"In a nutshell, the attacker forged the signature on a transaction in wormhole, then submitted the invalid transaction to the Solana (CRYPTO:SOL) network as a valid one, which allowed the fraudulent minting of a large number of ETH tokens on the Solana network. They then transferred many of those tokens to a digital wallet on the Ethereum network."


"Apparently, the vulnerability had already been detected and fixed in the code that interoperates between wormhole and Solana, but the fix had not yet been deployed to wormhole. This allowed the attacker to exploit vulnerable, deprecated code to accomplish their theft. This is reassuring in one way (the problem had already been detected and addressed) but disturbing in another (despite the available fix, the vulnerability was not blocked)."

"Open-source code commits show that code that would have fixed this vulnerability was written as early as January 13th and uploaded to the Wormhole GitHub repository on the day of the attack. Just hours later, the vulnerability was exploited by the hacker, suggesting that the updates had not yet been applied to the production application."


"There has been a lot of confusion however how the Wormhole hack had happened. I want to [summarize] and explain how the hack worked, for non-technical audiences. To create wETH on their chain, Solana checks that there is a valid signature, and that the signature comes from a Guardian. Proper usage means there is a valid signature (Correct) from a guardian (Correct). These two conditions match, and so request is approved. They expected an attacker would issue an invalid signature (Incorrect) from a guardian (Correct). These two conditions do not match, so the request is denied. The hack The attacker issued an invalid signature (Incorrect) from a non-guardian (Incorrect). **But these conditions match: incorrect matches incorrect**. So the request is APPROVED (!!) and the ETH was stolen on the Solana network. The Ethereum network successfully processed a withdraw, because Solana told Ethereum "it's all good, this is legit", but Solana's logic for determining whether it is good was flawed."


"The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward."

"The hacker then exchanged 93,750 wETH for Ethereum and changed the remainder for Solana, which they've left untouched in their Solana wallet."

"Due to the nature of cross-chain applications, the attack temporarily left a huge deficit between the amount of wrapped Ethereum and regular Ethereum held in the Wormhole bridge."

Total Amount Lost

The total amount lost has been estimated at $321,942,000 USD.

"The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward."

"The hacker then exchanged 93,750 wETH for Ethereum and changed the remainder for Solana, which they've left untouched in their Solana wallet."

Immediate Reactions

Protocol Taken Offline

"[A] post from the Wormhole Twitter account announced that the network was being taken “down for maintenance” while a potential exploit was investigated. A later post from Wormhole confirmed the hack and the amount stolen."

"The wormhole network is down for maintenance as we look into a potential exploit. We will provide updates here as soon as we have them. Thank you for your patience."


"The stolen funds consisted of 120,000 wrapped Ether (wETH), a form of standardized token that represents a variety of cryptocurrency types and allows them to be traded directly. It is unclear where the funds the victims were reimbursed with came from, but Wormhole has pledged to back wETH one-for-one with the Ethereum network’s Ether coin going forward."

"The hacker then exchanged 93,750 wETH for Ethereum and changed the remainder for Solana, which they've left untouched in their Solana wallet."


"To prevent further exploits, Wormhole node operators temporarily stopped relaying messages from on-chain contracts, then upgraded the contract to fix the vulnerability."

"Jump Crypto has recapitalized the contract to ensure that all Wormhole-wrapped Ether on every chain is fully backed. The Wormhole network is back online and fully operational as of 13:29 UTC, Feb 3, 2022. The total duration of the incident was approximately 16 hours."

Bug Bounty For Attacker

"Certus One contacted the hacker(s) as soon as the software problem was fixed, offering them a $10 million bug bounty if they work collaboratively to restore the stolen ETH. There is also a $10 million reward available to anyone else who can provide details that lead to the arrest and conviction of the hacker."

"Similar to previous large-scale DeFi hacks, potential victims and donation-seekers have begun to send the hacker on-chain messages through Ethereum transactions. These have ranged from small transfers of worthless tokens or those seeking donations using blockchain names such as “hackerplsdonate.eth” to get the hacker’s attention. One individual claimed to have lost $100,000 in the hack."

Ultimate Outcome

"Wormhole says that the vulnerability has been patched and that all funds have been restored, and that the project will be backing funds one-for-one with Ether going forward." "This incident was deeply problematic, since it resulted in exploitation and financial losses to the company that released the software, but investor funds have been restored."


"The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience."


"The company is also offering a bounty of $10 million for information leading to the arrest of the responsible party or recovery of the stolen funds, and has announced that it will be launching an ongoing bug bounty program on Immunefi sometime this month that will offer maximum bounties of $3.5 million for disclosure of new vulnerabilities."

"A $10,000,000 reward is offered for any information leading to the arrest and conviction of those responsible for the hack of Wormhole on February 2, 2022, or the recovery of the stolen assets. The $10,000,000 whitehat offer remains open for the timely return of the funds."


"As hacks go, this one was handled quickly, and because the ETH tokens were replaced by Jump Trading, no investor funds were lost."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.


"As hacks go, this one was handled quickly, and because the ETH tokens were replaced by Jump Trading, no investor funds were lost."

"The wormhole network was exploited for 120k wETH. ETH will be added over the next hours to ensure wETH is backed 1:1. More details to come shortly. We are working to get the network back up quickly. Thanks for your patience."

Ongoing Developments

What parts of this case are still remaining to be concluded?


"Wormhole says that the vulnerability has been patched and that all funds have been restored, and that the project will be backing funds one-for-one with Ether going forward." "This incident was deeply problematic, since it resulted in exploitation and financial losses to the company that released the software, but investor funds have been restored."


"Certus One contacted the hacker(s) as soon as the software problem was fixed, offering them a $10 million bug bounty if they work collaboratively to restore the stolen ETH. There is also a $10 million reward available to anyone else who can provide details that lead to the arrest and conviction of the hacker."

"The company is also offering a bounty of $10 million for information leading to the arrest of the responsible party or recovery of the stolen funds, and has announced that it will be launching an ongoing bug bounty program on Immunefi sometime this month that will offer maximum bounties of $3.5 million for disclosure of new vulnerabilities."

"A $10,000,000 reward is offered for any information leading to the arrest and conviction of those responsible for the hack of Wormhole on February 2, 2022, or the recovery of the stolen assets. The $10,000,000 whitehat offer remains open for the timely return of the funds."

Individual Prevention Policies

Individuals need to exercise care in ensuring that funds are only stored with platforms that have undergone proper validation for security. The majority of funds should be stored securely offline.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Further validation prior to launch would likely have caught the issue. (In fact, it was known already at the time of the exploit.) While a platform is still under development, most funds could be stored in a multi-signature treasury, limiting the amount which would be able to be stolen. An industry insurance fund could be effective at providing relief for victims.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Further validation prior to launch would likely have caught the issue. (In fact, it was known already at the time of the exploit.) An industry insurance fund could be effective at providing relief for victims.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://www.cpomagazine.com/cyber-security/defi-project-hacked-for-320-million-in-crypto-wormhole-network-compromised-by-previously-unknown-vulnerability/ (Feb 15, 2022)
  2. Wormhole Incident Report 02 02 22 (Feb 15, 2022)
  3. Explorer | Solana (Feb 15, 2022)
  4. https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21, 2021)
  5. The Wormhole Hack Was a Close Call for Investors | The Motley Fool (Feb 15, 2022)
  6. Cryptocurrency platform Wormhole restores funds after suffering $320 million hack - CBS News (Feb 15, 2022)
  7. @wormholecrypto Twitter (Feb 15, 2022)
  8. https://www.cnbc.com/video/2022/02/07/wormhole-network-hack-named-fourth-biggest-crypto-hack-of-all-time.html (Feb 15, 2022)
  9. Wormhole cryptocurrency platform hacked for $325 million after error on GitHub - The Verge (Feb 15, 2022)
  10. @wormholecrypto Twitter (Feb 15, 2022)
  11. @mjg59 Twitter (Feb 15, 2022)
  12. Jump Trading replaces stolen Wormhole funds after $320 mln crypto hack | Reuters (Feb 15, 2022)
  13. @JumpCryptoHQ Twitter (Feb 15, 2022)
  14. $325 Million Stolen from Wormhole DeFi Service (Feb 15, 2022)
  15. Crypto Bridge Wormhole Replenished After Hack for $320M in Ethereum - Decrypt (Feb 15, 2022)
  16. Solscan (Feb 15, 2022)
  17. @samczsun Twitter (Feb 15, 2022)
  18. How $323M in crypto was stolen from a blockchain bridge called Wormhole | Ars Technica (Feb 15, 2022)
  19. https://fortune.com/2022/02/03/hackers-steal-320-million-crypto-wrapped-ether-wormhole-defi-project/ (Feb 15, 2022)
  20. Wormhole Network Hack Named Fourth Biggest Crypto Hack of All Time (Feb 15, 2022)
  21. Crypto Worth Over $320 Million Taken in Wormhole Hack (Feb 15, 2022)
  22. Calling a Hack an Exploit Minimizes Human Error (Mar 10, 2022)
  23. Wormhole Network Faces Exploit, Loses $216 Million to Hackers - CoinQuora (Mar 20, 2022)
  24. Technology of the future : Buttcoin (Mar 23, 2022)
  25. Solana Suffers Dip Following $322M Wormhole Hack - Crypto Briefing (Mar 23, 2022)
  26. https://coin.fyi/news/solana/here-s-how-98k-eth-was-stolen-on-solana-explained-like-you-re-five-sj7ba7 (Mar 23, 2022)
  27. Ethereum [ETH]: Here's How 98k ETH Was Stolen On Solana, Explained Like You're Five - PumpDumpCoin.com (Mar 23, 2022)
  28. Here's how 98k ETH was stolen on Solana (Mar 23, 2022)
  29. Solana's Wormhole bridge gets hacked for $200 million (80K ETH) | CryptoSlate (Mar 23, 2022)
  30. The $320m Wormhole hack was "replenished" by Jump Capital, an institutional trading desk/market maker (similar to Citadel) without any questions. This shows the entire Solana ecosystem is just a sham propped up by institutional entities : Cry... (Oct 12, 2022)
  31. The Crypto World Is on Edge After a String of Hacks - The New York Times (Nov 30, 2022)
  32. Wormhole Hack: Lessons From The Wormhole Exploit (Nov 30, 2022)
  33. https://wormholenetwork.com/ (Feb 15, 2022)
  34. https://wormholenetwork.com/buidl/ (Feb 15, 2022)
  35. Introduction - Wormhole (Feb 15, 2022)
  36. The Wormhole Crypto Network Explained - YouTube (Feb 15, 2022)
  37. 37.0 37.1 Rekt - Wormhole - REKT (Feb 8, 2022)
  38. 38.0 38.1 Wormhole token bridge loses $321M in largest hack so far in 2022 - CoinTelegraph (Feb 14, 2022)
  39. 39.0 39.1 Wormhole token bridge loses $321M in largest hack so far in 2022 - CoinTelegraph Archive February 2nd, 2022 6:22:43 PM MST (Jul 14, 2023)
  40. RektHQ - "Wormhole had a loophole… A hacker distorted the fabric of Solana's space-time, and netted $326M in the process. Less than 24 hours later, and the funds have been replaced. Where did @Wormholecrypto find $326M?" - Twitter (Jul 14, 2023)

Cite error: <ref> tag with name "cryptopolitan-6431" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Wormhole_Network_Signature_Validation_Loophole&oldid=4809"