Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
smartcontracts.eth Profile picture
@kelvinfichter
Feb 3, 2022 38 tweets 8 min read Read on X
Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here's how it happened.
Here's the transaction which finalized a majority of the exploit. 80k ETH pulled out of the Wormhole contract on Ethereum in a single transaction: etherscan.io/tx/0x24c7d855a…
Although it's dramatic, this transaction is just the very end of an interesting series of events. I had to start working my way backwards to figure out how this was even possible.
Wormhole is a "bridge" -- basically a way to move crypto assets between different blockchains. Specifically, Wormhole has a set of "guardians" that sign off on transfers between chains. It's a little more complicated than that in practice, but that's the general idea.
The transaction that pulled out 80k ETH was actually the attacker transferring 80k ETH from Solana to Ethereum. I originally thought that the contract might've incorrectly validated the signatures on the transfer, but the signatures completely checked out.
The Wormhole "guardians" had somehow signed off on this 80k ETH transfer as if it were 100% legit. How was that possible?
The first breakthrough came from this transaction on Solana which somehow minted 120k "Wormhole ETH" out of nowhere: solscan.io/tx/2zCz2GgSoSS…
That explains part of it! The attacker was able to mint Wormhole ETH on Solana, so they were able to correctly withdraw it back to Ethereum. Now we just need to figure out how the attacker was able to mint this Wormhole ETH on Solana...
The next interesting piece of information is this Solana transaction that came right before the 120k ETH one, where 0.1 Wormhole ETH was minted on Solana: solscan.io/tx/3HRKFcGjVVt…
If we take a look at the attacker's transaction history on Ethereum, we end up seeing that the attacker *did* make a deposit of 0.1 ETH *into* Solana from Ethereum: etherscan.io/tx/0xf54d9d84e…
Of course, the attacker definitely did not make a 120k ETH deposit into Wormhole on Ethereum. But there's something interesting about this deposit. It definitely has something to do with the attack, but what?
Alright, here's where we start getting into the weeds of Solana. This is the first time I've ever looked at Solana contracts so it took me a while to get my bearings, but I think I finally get what's going on.
The transactions that minted Wormhole ETH on Solana were triggering this Wormhole function "complete_wrapped": github.com/certusone/worm…
One of the parameters that this function takes is a "transfer message", basically a message signed by the guardians that says which token to mint and how much: github.com/certusone/worm…
Solana is kinda weird, so these parameters are actually smart contracts themselves. But the important thing is how these "transfer message" contracts get created. Here's the transaction that made the 0.1 ETH transfer message: solscan.io/tx/5fKWY7XyW6P…
This "transfer message" contract is created by triggering a function called "post_vaa": github.com/certusone/worm…
It doesn't really matter if you understand the fancy code, the most important thing here is that post_vaa checks if the message is valid by checking the signatures from the guardians. That part seems reasonable enough. But it's this signature checking step that broke everything.
One sec loading up my next tweets... hold your horses
Alright let's keep going. "post_vaa" doesn't actually check the signatures. Instead, in typical Solana fashion, there's another smart contract which gets created by calling the "verify_signatures" function. github.com/certusone/worm…
One of the inputs to the "verify_signatures" function is a Solana built-in "system" program which contains various utilities the contract can use: github.com/certusone/worm…
Within "verify_signatures", the Wormhole program attempts to check that the thing that happened right before this function was triggered was that the Secp256k1 signature verification function was executed: github.com/certusone/worm…
This verification function is a built-in tool that's supposed to verify that the given signatures are correct. So the signature verification has been outsourced to this program. But here's where the bug comes in.
The Wormhole contracts used the function load_instruction_at to check that the Secp256k1 function was called first: github.com/certusone/worm…
The load_instruction_at function was deprecated relatively recently because it *does not check that it's executing against the actual system address*! github.com/solana-labs/so…
You're supposed to provide the system address as the program you're executing here (it's the third-to-last program input): github.com/certusone/worm…
Here's that system address being used as the input for the "verify_signatures" for the legit deposit of 0.1 ETH Image
But here's the "verify_signatures" transaction for the fake deposit of 120k ETH Image
That's not the system address!
Using this "fake" system program, the attacker could effectively lie about the fact that the signature check program was executed. The signatures weren't being checked at all!
After that point, it was game over. The attacker made it look like the guardians had signed off on a 120k deposit into Wormhole on Solana, even though they hadn't. All the attacker needed to do now was to make their "play" money real by withdrawing it back to Ethereum.
And one withdrawal of 80k ETH + 10k ETH later (everything in the bridge on Ethereum), everything was gone.
Wormhole reports that the exploit has been patched
A commit was made ~9 hours ago replacing usage of load_instruction_at with load_instruction_at_checked, which actually confirms that the program being executed is the system program: github.com/certusone/worm…
It's interesting that this commit was made ~9 hours ago and the exploit happened a few hours after that. Possible that an attacker was keeping an eye on the repository and looking out for suspicious commits.
Could be that the Wormhole team spotted the bug, patched it, but the attacker got to it before the patch could be rolled out. Super important to keep these sort of patches lowkey and to try to stuff them into larger commits.
It looks like maybe Wormhole tried to do this by including the change in a much larger and unassuming commit called "Update Solana to 1.9.4": github.com/certusone/worm…
Not sure exactly what happened here, but a clear lesson to try to deploy before making any patch details public, if you can afford to do that. Of course this ends up being at odds with Web3 ideals, so not always clear how to best handle these sort of things.
As another commenter has noted, it could also be that the attacker knew about the bug in advance and was forced into exploiting the bug because the patch was being rolled out. Seems hard to construct this attack within ~2 hours so could be a possibility here.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with smartcontracts.eth

smartcontracts.eth Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @kelvinfichter

smartcontracts.eth Profile picture
Feb 23, 2023
One of the major advantages of Optimism's Superchain future over a multi-chain world is tight alignment around a common vision. Being part of the Superchain isn't just about great tech, it's about an understanding that we need to build & fund ecosystem public goods together.
By working as a Collective, we can shift the incentives so that funding the digital equivalent of our roads, schools, and eventually our mega projects actually makes strong economic sense.
This is why I think of the Superchain like a union of chains. That union goes beyond just writing software together and into a philosophical stance that sending resources back into the Collective governance system leaves everyone in a net-positive position.
Read 5 tweets
smartcontracts.eth Profile picture
Feb 23, 2023
It's clear: THE FUTURE IS SUPERCHAIN

@coinbase is joining @optimismFND on the journey towards the vision of a UNIFIED network of L2s: the Superchain.

Here's what's up with the Superchain and how you can get involved **today** 👀
The Superchain is a vision for the future of L2.

Ethereum need L2s, but no single L2 is going to hit the internet-level scale necessary to bring Ethereum to the world. At the same time, siloed L2s fracture security, liquidity, and development effort. We need something better.
The Superchain is a vision for a UNION of L2s.

We need to work on standardized, interoperable software, together. We need to work on improvements, together. We need to govern, together.

If we want to avoid fracturing the L2 ecosystem, we need to build TOGETHER.
Read 17 tweets
smartcontracts.eth Profile picture
Feb 13, 2023
The OP Stack is about to make Ethereum contract development crazy again. Hard to explain until you've seen it. It's just stupid how powerful this thing is. The idea of getting CSR on Optimism Mainnet was what really got me. (quik thred)
Contract Secured Revenue (CSR) is a mechanism spearheaded by Canto to reward contract creators based on the % of gas those contracts are using. The more gas is being spent on the contracts, the more rewards for their creators. Simple.
Whether or not CSR has its intended impact is yet to be seen. Still, it's a cool mechanism. @kethcode and @GonnaEth reached out to me to chat about getting a homebrew CSR working on Optimism Mainnet. But building CSR directly into Optimism Mainnet is too much of a diff.
Read 21 tweets
smartcontracts.eth Profile picture
Jul 30, 2022
For your entertainment, here's a thread about the future of @optimismFND, the upcoming Bedrock upgrade, Rollup decentralization, and ZK. Bedrock is a Rollup client, not an Optimistic Rollup client 😉. Enjoy the spice. 🌈
I recently gave a talk called "Wen?" that explored the future of @optimismFND. Since Optimism does everything in the open, there's a ridiculous amount of alpha in there. Have fun!
I wanted to touch on some of the most important points I made in that presentation because they're critical to understanding why Optimism is doing things the way it is. Let's chat about Bedrock, decentralization, and the ZK future.
Read 26 tweets
smartcontracts.eth Profile picture
Jul 28, 2022
Wen? A talk about the future of Optimism.
Part of a series of talks from a small technical workshop hosted by @optimismFND in Paris dev.optimism.io/op-in-paris-ro…
Oh, and ZK
Read 4 tweets
smartcontracts.eth Profile picture
Jul 27, 2022
👀 highly Optimistic @rainbowdotme app icon? Image
Looks like the option shows up once you get the Optimism Explorer NFT
Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(