The Wormhole Hack: How Soteria detects the vulnerability automatically

sec3 (formerly Soteria)
Coinmonks

--

Recently, an attacker was able to steal more than $320 million from Wormhole, a popular bridge linking Solana and Ethereum.

The root cause lies in a bug in verify_signatures of the Wormhole bridge code:

(1) it did not validate an input account and

(2) it used an unsafe and deprecated Solana API to parse the account.

If wormhole had avoided either (1) or (2) above, the attack would have been avoided.

For (1), we will elaborate it in Section “premium version” in the second half of this article (also see a detailed analysis by samczsun and the bug fix).

For (2), the API load_instruction_at provided in solana_program::sysvar::instructions does not check validity of accs.instruction_acc.

Therefore, the attacker could supply a faked account to do verify_signatures. The code diff for the fixes are shown below:

The fix for missing sysvar check in branch sec/instructions-fix
The fix for using safe checked API in branch dev.v2

--

--