Wormhole Bridge Exploit Analysis by CertiK


Summary

On February 02, 2022, 17:58:04 PM +UTC, an attacker launched attacks aiming to bypass the verification process of the Wormhole bridge on Solana and mint themselves Wormhole ETH (wETH).

The attacker bypassed this verification step by injecting a spoofed sysvar account and successfully generated a malicious “message” that specified for 120,000 wETH to be minted. Finally, by invoking the “complete_wrapped” function with the malicious “message”, the attacker successfully minted 120,000 wETH.

Exploit Transactions
  1. https://solscan.io/tx/2zCz2GgSoSS68eNJENWrYB48dMM1zmH8SZkgYneVDv2G4gRsVfwu5rNXtK5BKFxn7fSqX9BvrBc1rdPAeBEcD6Es mints 120,000 Wormhole ETH
  2. https://etherscan.io/address/0x629e7da20197a5429d30da36e77d06cdf796b71a#internaltx Bridge tokens to Ethereum

Attack Flow

1. The attacker invoked the “verify_signatures” function with a spoofed sysvar account: https://solscan.io/tx/25Zu1L2Q9uk998d5GMnX43t9u9eVBKvbVtgHndkc2GmUFed8Pu73LGW6hiDsmGXHykKUTLkvUdh4yXPdL3Jo4wVS


The spoofed “verify_signatures” function with a malicious “sysvar account”:


In contrast, the following snapshot is a correct “verify_signatures” function with the correct “sysvar account”:


The “verify_signatures” function loads the current instructions from sysvar (L92).


However, the function “load_current_index” does not validate whether the injected ”sysvar account“ is actually the “system sysvar“. As the current instruction (L92) retrieved from ”sysvar“ is controlled by the attacker, it will succeed in the following verification process.

2. The attacker then invoked the “post_vaa” function with the verified signatures from the previous step and created a malicious message account stating 120,000 wETH to be minted: https://solscan.io/tx/2SohoVoPDSdzgsGCgKQPByKQkLAXHrYmvtE7EEqwKi3qUBTGDDJ7DcfYS7YJC2f8xwKVVa6SFUpH5MZ5xcyn1BCK


  • Account2 is the signature set generated by the “verify_signatures” instruction.
  • Account3 is the message account that will be used in the following “complete_wrapped” function.3.The attacker invoked the “complete_wrapped” function that reads the data in the malicious message account and mints the 120,000 wETH:

3.The attacker invoked the “complete_wrapped” function that reads the data in the malicious message account and mints the 120,000 wETH:

https://solscan.io/tx/2zCz2GgSoSS68eNJENWrYB48dMM1zmH8SZkgYneVDv2G4gRsVfwu5rNXtK5BKFxn7fSqX9BvrBc1rdPAeBEcD6Es

 


  • Account3 is the message account generated by the “post_vaa” function.
  • Account6 is the “to” address to receive the minted Wormhole ETH.
  • Account9 is the mint authority for Wormhole ETH and is a PDA (program-derived-address). This is why after signature verification is passed, the attacker can mint tokens directly.

4. Part of the minted wETH is transferred to Ethereum. The rest were swapped to USDC and SOL:
Contracts Vulnerability Analysis
The root cause of this exploit is that in the verification process (“verify_signatures”), the program uses a deprecated function “load_current_index”. This function does not verify that the inputted ”sysvar account” is actually the ”system sysvar”, allowing an attacker to falsify this critical account.




To prevent such an issue occurring in the future, it is mandatory to check and verify all accounts a function uses. This is especially true in this instance where the onus of the verification process was placed on an external function since by using external sources for access control, a great deal of trust must be given to that eternal dependency, creating risk.



Previous Post Next Post