On Wednesday afternoon, Solana’s cross-chain bridge, Wormhole, lost more than $320 million in what was one of the largest hacks in DeFi space. The vulnerability was patched within a few hours and the project’s developers also attempted to contact the attacker via a blockchain message.
The said developments were covered in-depth in a recently published article. However, in this report, we will look into other nuances and outline how the attacker managed to pull off the hack.
Timeline of the attack
18:26 UTC – The contract was exploited for 120k ETH
00:33 UTC – The vulnerability was patched
13:08 UTC – ETH contract had been filled and all wETH were backed 1:1
13:29 UTC – The Portal (token bridge) was back up
Source: Wormhole
Breaking things down – How did the attack happen?
Before executing the hack, the attacker managed to forge a valid signature for a transaction that allowed them to freely mint 120,000 wETH worth $320 million on the Solana blockchain without inputting an equivalent amount.
The wrapped tokens were then exchanged for around $260 million in Ethereum that was sent from Wormhole to the hacker’s account, effectively draining out a large amount of the platform’s Ethereum funds that were being held as collateral for transactions on the Solana blockchain.
As per open-source code commits on Github, the code that could have fixed the aforesaid vulnerability was written as early as 13 January but was uploaded to the Wormhole GitHub repository only on the day of the attack.
Within hours, the vulnerability was exploited by the hacker, indicating that the updates hadn’t yet been applied to the production application. As per software developer Matthew Garrett, the disguised security fix code upload looked like it was an ordinary version update but actually contained extensive changes.
Pseudonymous accounts ‘samczun‘ and ‘smart-contracts‘ too took Twitter to decode the series of events that led to the attack.
The aftermath
The attack temporarily left a huge deficit between the amount of wrapped Ethereum and regular Ethereum held in the Wormhole bridge. For a while, it looked like the collateral asset backing a loan had suddenly disappeared.
However, on Thursday itself, Ethereum was added back to the bridge to replace the stolen collateral funds. Jump, which acquired Wormhole’s parent company in August last year, confirmed the same.
Also, the TVL on Wormhole had already been shrinking since October last year. The value locked that stood beyond $500 million four months back, was seen typically hovering around its all-time lows following the attack.
Post the attack news started doing the rounds yesterday, Solana ended up shedding 8-9% of its value. Nonetheless, the seventh-largest alt was quick to recover and inch back up beyond the $100 threshold on Friday.