Hackers have stolen over $323 million in cryptocurrencies by exploiting a vulnerability in Wormhole, a web service that allows transactions between blockchains. The wormhole allows people to move digital coins tied to one blockchain to another blockchain; such blockchain bridges are especially useful for decentralized finance (DeFi) services that operate on two or more chains, often with vastly different protocols, rules, and processes.
Bridges use wrapped tokens, which fix tokens on the same blockchain in a smart contract. After a decentralized cross-chain oracle* called a “custodian” certifies that the coins have been properly locked on one chain, the bridge creates or issues tokens of the same value on another chain. The wormhole connects the Solana blockchain to other blockchains, including the Avalanche, Oasis, Binance Smart Chain, Ethereum, Polygon, and Terra blockchains.
*an agent that finds and confirms real events and transfers this data to the blockchain for the use of smart contracts Cryptocurrency .
But what if you can’t trust the custodian? A lengthy analysis posted to Twitter hours after the theft states that the Wormhole’s backend platform failed to properly verify their custodian accounts. By creating a fake signed account, the hacker or hackers behind the theft minted 120,000 ETH – worth about $323 million at the time of the transactions – on the Solana network. The hackers then made a series of transfers that resulted in about 93,750 tokens being transferred to a private wallet stored on the Ethereum chain, blockchain analytics firm Elliptic said.
The hackers pulled off the theft by using an earlier transaction to create a signature set, which is a type of credential. With that, they created Cryptocurrency a VAA, or validator action approval, which is essentially the certificate needed to approve transactions.
“Once they had a fake ‘signature set’, it was trivial to use it to create a valid VAA and trigger unauthorized minting on their account,” wrote @samczsun, Twitter manager for investment firm Paradigm.
“The rest is history. In summary, the wormhole did not properly verify all input accounts, which allowed the attacker to forge the signatures of the custodians and mint 120,000 ETH on Solana, of which they transferred 93,750 back to Ethereum.”