One of the worst hacks on the Solana blockchain occurred on Wednesday, when a hacker managed to move 80,000 Ether (ETH) (over $214 million at the time of writing) from the Solana system to the Ether blockchain via the Wormhole bridge – a service that provides the ability to transfer funds between different blockchains. .

The pseudonymous Twitter profile smartcontracts explained in the tweet thread that the hackers finalized the exploit by transferring 80,000 ETH from the Wormhole smart contract on Ether in a single transaction. As it turns out, this was only the final step in a series of hacks that allowed the hackers to steal the funds.

"As dramatic as this is, this deal is just the end of an interesting series of events. I had to start working backwards to figure out how this was possible," smartcontracts tweeted.

The guardian signed a false transfer

In this case, Wormhole is the so-called bridge on Ether, the smart contract, which provides a way to move cryptocurrency assets between different blockchains. According to smart contracts, from a high-level perspective, Wormhole exclusively has a set of so-called guardians who sign transfers between blockchains.

The Wormhole Guardian somehow signed off on this 80,000 ETH transfer as if it were 100% legal.

“The transaction that withdrew 80,000 ETH was actually a transfer of 80,000 ETH from Solana to Ether by the attacker. I had thought the contract might have incorrectly verified the signature on the transfer, but the signature [were] fully checked.”

According to the smart contract, the first breakthrough and partial explanation came from a transaction on Solana that somehow minted 120,000 "Wormhole ETH", which was credited with Ether on Solana, out of nowhere. Since the hacker was able to mint Wormhole ETH on Solana, he was able to properly withdraw it to Ether.

"There's something strange about Solana."

Examining the hacker's transaction history, one transaction occurred before 120,000 Wormhole ETH were minted. In this transaction, the hacker only minted 0.1 Wormhole ETH, as if the hacker was testing the feature with a small amount.

Further examination of the hacker's transaction history shows that the hacker did deposit 0.1 ETH from Ether to Solana. While the attacker did not deposit 120,000 ETH in Ether's Wormhole smart contract, there is something interesting about this deposit.

As smartcontract explained in his tweet, the transaction of casting Wormhole ETH on Solana triggers a Wormhole smart contract function called "complete_wrapped". One of the parameters used by this function is a "transmission message", which is basically a message signed by the bridge's guardian stating which token to mint and how much to mint.

“Solana is a bit strange, so the parameters themselves are smart contracts. But what’s important is how these “transfer message” contracts are created. This is the transaction that generates the 0.1 ETH transfer message,” the smart contract tweeted.

Who's checking checkers?

This "transfer message" contract is created by triggering a function called "post_vaa". Most importantly, post_vaa checks if the message is valid by checking the guardian's signature. smartcontracts says that this part seems reasonable, but it is this signature checking step that breaks everything.

The "post_vaa" function does not actually check for signatures. Instead, in typical Solana fashion, another smart contract is created by calling the "verify_signatures" function. One of the inputs to the "verify_signatures" function is Solana's built-in "system" program, which contains various utilities that the contract can use.

In "verify_signatures", the Wormhole program tries to check if the Secp256k1 signature verification function has been executed for the execution that occurred before this function was triggered.

"This verification function is a built-in tool to verify that a given signature is correct. So signature verification has been outsourced to this program. But that's where the error comes from," the smart contract tweet said.

The Wormhole contract uses the function load_instruction_at to check if the Secp256k1 function was called first, but the load_instruction_at function has recently been deprecated because it

Game over

According to the smart contract, the caller is supposed to provide the system address as input to the program being executed, but the hacker provides a different system address.

This is the "verify_signatures" input for the system address being used as a legal deposit of 0.1 ETH.

Correct system address input Correct system address input

But here is the "verify_signatures" transaction for the 120k ETH fake deposit.

System address input Wrong system address input

That's not the system address.

"Using this 'fake' system program, an attacker can effectively lie about the fact that the signature checker was executed. Signatures are not being checked at all" Smart Contracts tweet.

“After that, the game was over. The attackers made it look like the guardians signed up for a 120k deposit in Solana’s Wormhole, even though they didn’t. All the attacker needs to do now is make it happen by withdrawing their “game” funds to Ether. Then withdraw 80k ETH + 10k ETH (everything on the ethereum bridge) at once and everything disappears.”

CryptoSlate Newsletter

Summarizes the most important daily stories in cryptocurrency, DeFi, NFT, and more.

Source Link