Wormhole Incident Report — 02/02/22

Background

Wormhole is a decentralized, cross-chain message passing protocol. It enables applications to send messages from one chain to another. The network is operated by a decentralized group of nineteen Guardians who sign each transmitted message to attest to its authenticity. The protocol uses a multi-party signature system where a message is treated as authentic if ⅔+ of the Guardians have signed it.

Timeline and response

18:24 UTC — An unidentified attacker exploited a vulnerability in the Solana-side Wormhole contract and tricked it into minting 120,000 uncollateralized Wormhole-wrapped ETH (weETH). The attacker then sent 93,750 weETH back to Ethereum, redeeming it for native ETH (1, 2, 3), and swapped the remaining weETH into SOL on Solana.

Vulnerability

The root cause of the exploit was a bug in the signature verification code of the core Wormhole contract on Solana. This bug allowed the attacker to forge a message from the Guardians to mint Wormhole-wrapped Ether.

Addressing rumors

In the aftermath of the attack, rumors surfaced on social media that Wormhole contributors had been aware of the vulnerability weeks prior to the attack. These speculations were sparked by a recent commit in the Wormhole repository.

Looking forward

The Wormhole community remains committed to the security of the bridge and all participants.

Audits

Before Wormhole launched in Summer 2021, its code was reviewed by Neodyme, one of the most accomplished Solana auditing firms, with the report published in January 2022. Subsequently, three firms were scheduled before the incident to perform comprehensive and ongoing audits of the Wormhole code base:

  • Kudelski kicked off an audit in the 3rd week of January 2022.
  • Neodyme has recently been contracted to perform ongoing audits to secure Wormhole’s roadmap and network additions.
  • Trail of Bits has been contracted to perform two audits in 2022.

Security Roadmap

There are several items on our roadmap which further strengthen the security of cross-chain messaging and bridging, including

  • Accounting mechanism to isolate risks to individual chains
  • Dynamic risk management
  • Ongoing monitoring and early detection of incidents.

Bug Bounty on Immunefi

In December 2021, the community began the process of launching a formal bug bounty program on Immunefi. The program will launch in mid-February and feature a maximum bounty of $3.5M — believed to be the highest in the industry.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Wormhole

Wormhole

Cross-chain interoperability protocol connecting high value blockchains