The decentralized finance space experienced its first major setback of the year on 3 February when over $321 million in Ether were stolen from the cross-chain network Wormhole. While it was not the first multi-million DeFi hack this year, it was definitely the largest in this short time, and the second-largest ever.
The hackers had managed to mint 120,000 wrapped Ether (wETH) on Solana, after which they redeemed 93,750 wETH for ETH on the Ethereum network. The rest was swapped for other small-cap altcoins on Solana’s platform.
After promising to bring back the lost tokens, the Wormhole team has now revealed that the lost funds have been restored. And, the platform is operational again. It was also mentioned that all of the users’ funds have also been secured. Although, it will not be redeemable until further notice.
It turns out, the 120,000 ETH has been replaced by Jump Crypto, which is a crypto venture company owning Certus One, the developer of the Wormhole token bridge.
.@JumpCryptoHQ believes in a multichain future and that @WormholeCrypto is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.
— Jump Crypto ? (@JumpCryptoHQ) February 3, 2022
The single largest DeFi bailout ever recorded has brought the platform back on its feet quickly. However, the mammoth task of recovering the 120,000 wETH from the hacker(s) still awaits them. To that end, Wormhole has reached out to the miscreants on-chain, offering them a $10 million bounty in return for the funds.
The platform is also yet to publish an incident report on the matter, even as many experts have jumped to the task of solving this mystery. The analysts behind Rekt Capital have come up with their own theory, stating that the hackers bypassed ‘guardians’, entities that sign off on transfers between chains on Solana’s Wormhole bridge by using a SignatureSet created in a previous transaction.
The hackers were then able to exploit a bug in the network’s smart contracts that authorizes minting of tokens, resulting in them being able to “fraudulently mint 120k wETH on Solana using VAA verification that had been created in a previous transaction.”
The developer of ETH Layer 2 solution Optimism, Kelvin Fitcher, offered a more detailed analysis of the incident on Twitter by backtracking the hackers’ steps. According to him, the hacker had first deposited 0.1 ETH into Solana before minting the exorbitant amount.
One of the parameters that this function takes is a “transfer message”, basically a message signed by the guardians that says which token to mint and how much: https://t.co/82NbEvXY8f
— smartcontracts (@kelvinfichter) February 3, 2022
He further explained that the “transfer message” contracts get created on Solana by triggering a function called “post_vaa”, which checks if the message is valid by checking the signatures from the guardians. The hacker was able to bypass the verification process by exploiting a few discrepancies in the code, said Fitcher, adding,
“Using this “fake” system program, the attacker could effectively lie about the fact that the signature check program was executed. The signatures weren’t being checked at all… The attacker made it look like the guardians had signed off on a 120k deposit into Wormhole on Solana, even though they hadn’t. All the attacker needed to do now was to make their “play” money real by withdrawing it back to Ethereum.”
The analyst concluded that the bug in question was about to be unknowingly fixed by Wormhole, and the exploiter probably had prior knowledge about the same and acted swiftly before the vulnerability was patched.
Attacker probably spotted the change and had prior knowledge of the sort of vulnerabilities that the older function enabled, and was able to quickly put together the attack.
— smartcontracts (@kelvinfichter) February 3, 2022
Source: https://ambcrypto.com/wormhole-restores-hacked-300m-through-vc-funding-in-largest-ever-defi-bailout/