← Back to Hack Archive

Wormhole Hack

February 2, 2022$320 millionSmart Contract VulnerabilitySolana / Ethereum

The Story

On February 2, 2022, an attacker exploited a vulnerability in Wormhole, one of the largest cross-chain bridges connecting Ethereum, Solana, and other blockchains. The hacker managed to mint 120,000 wETH (Wrapped Ethereum) on Solana, worth approximately $320 million at the time, without providing the necessary collateral.

Once the exploit was discovered, the Wormhole team immediately took the bridge offline to investigate and patch the vulnerability. Within hours, Jump Crypto, the parent company behind Wormhole, announced they would replenish the 120,000 ETH to maintain the bridge's solvency and ensure user funds remained backed 1:1.

The hack highlighted the significant security challenges facing cross-chain bridges, which have become critical infrastructure in the multi-chain cryptocurrency ecosystem but also represent particularly attractive targets for attackers due to the large amounts of locked value they hold.

Technical Analysis

The Wormhole hack exploited a critical vulnerability in the bridge's signature verification process on the Solana side. The core issue was that an earlier version of the code had proper signature verification, but a later update failed to validate signatures in certain circumstances.

The vulnerability was in the verify_signatures function that was supposed to check the Guardian signatures:

// Pseudo-code of the vulnerable function
pub fn verify_signatures(
    &self,
    vaa: &VAA,
    signatures: &[SignatureSet],
) -> Result<()> {
    // ... some code omitted for brevity

    // Critical vulnerability: This check was missing
    // if !verify_signatures_and_quorum(...) {
    //     return Err(InvalidSignature.into());
    // }

    // ... some code omitted for brevity
    Ok(())
}

The attacker exploited this by:

  1. Creating a transaction that forged a message claiming to have deposited ETH
  2. Bypassing the signature verification that should have confirmed the deposit
  3. Minting new wETH tokens on Solana without providing actual ETH on Ethereum
  4. Bridging the fraudulently minted wETH back to Ethereum and cashing out

Lessons Learned

  1. Changes to critical security functions must undergo extensive auditing and testing
  2. Multiple layers of validation should exist for high-value operations
  3. Formal verification of smart contracts is essential for cross-chain applications
  4. Continuous monitoring systems should be in place to detect unusual minting or bridging activities
  5. Emergency shutdown mechanisms need to be implemented for rapid response to exploits