On the night of February 3, the Wormhole cross-chain protocol based on Solana was subjected to a hacker attack. The attackers took advantage of the exploit and withdrew 120,000 WETH from the project pool (over $319 million at the exchange rate at the time of writing).
The developers reported that they had closed the vulnerability and sent “additional ETH” to the pool to provide liquidity support.
During the investigation of the incident, the team closed access to the service.
CertiK explained that Wormhole smart contracts did not perform a full validation of the input data, which allowed initiating transactions with incorrect variables. Thanks to this vulnerability, hackers were able to release WETH to their address.
A Paradigm security analyst under the nickname samczsun noted that the project team contacted the address of the attackers on the Ethereum network. The developers offered to return the assets for a fee of $ 10 million.
He also confirmed that the vulnerability is related to the verification of input data by the cross-chain bridge protocol. According to the analyst, the exploit allowed to completely bypass signature verification.
Recall that in January 2022, Ethereum founder Vitalik Buterin called cross-chain bridges vulnerable due to problems related to asset security.