Investing.com – The Wormhole Bridge hack, which connects to , was one of the network’s darkest hours so far.
In the worst case, it could have been a real disaster that would have shaken the foundations of the entire crypto universe.Only the immediate compensation for the damage suffered, up to 120,000 ethers, has prevented entire ecosystems from collapsing like a house of cards.
In order to understand what happened and imagine what could have happened, we need to take a detailed look at what Wormhole is and how exactly the platform works.
What is Wormhole in reality?
Wormhole is a so-called bridge that has only one function: to link different blockchains together.Thanks to this connection, it is possible to carry out transactions between blockchains that are different in themselves.
If you own Ethereum and want to participate in a Solana project, you previously had to convert the ethers into SOL via an exchange, which was complicated.This approach is no longer necessary when using a bridge like Wormhole.
You deposit ETH on one side and get Solana-compatible WETH on the other side, in a 1:1 ratio.
It is precisely this mode of operation between Ethereum and Solana that hackers have exploited.The plan was to exploit a chain of unfortunate circumstances, to say the least.Forcing the line, one could say that the stupidity of various people involved had to be turned into cold hard cash.
How did the attack take place?
As early as October 12, Solana noted the existence of a security breach.But instead of taking direct action and notifying Wormhole of the situation, the developers bundled the fix into a normal update that was supposed to ship with version 1.9.4.
They mistakenly believed that no one would discover the security flaw, despite the code being publicly available.
At that time, it was therefore possible for anyone with advanced programming knowledge to identify and exploit the security flaw.Officials simply failed to patch the security hole with a hotfix.
Jeff Galloway, blockchain expert and founder of the Solana community’s SafeCoin blockchain, said the following in an interview with Investing.com:
“Hiding important security fixes in public updates that are not immediately implemented is an extremely unfortunate and grossly negligent approach.As soon as the bug became known, Wormhole should have issued an emergency update immediately.”
The fact that the security breach was known on the Solana site is an indisputable fact.This was publicly logged as “Not secure because Sysvar accounts address is not verified, please use `load_instruction_at_checked’ instead”.
This incredible incident was commented on by Jeff Galloway as follows:
“Solana released an update on October 12, 2021 which clearly shows that there is a security vulnerability.
But the faulty code was not removed, Wormhole received no notification and no emergency update has been performed.The insecure function has simply been the subject of a notice visible to all”.
So it’s clear that Solana had known about the security breach for months and did absolutely nothing.It remains to be seen how many officials knew about it and why we preferred to sit back rather than act.
Ethereum had a similar problem
In any case, this is not a common practice.As Windows users, we’ve certainly gotten used to living with security vulnerabilities over the past few decades, but we don’t do multi-hundred-million-dollar transactions either.
Last year, Ethereum provided a perfect example of how to do it right.
A similar critical error was discovered in the Ethereum Virtual Machine (EVM), but the reaction was immediate and a hard fork was put in place.
Wormhole ignores security flaw
After Solana went idle, Wormhole developers noticed the security flaw on January 11, 2022.Once again, there was a chance to fix the issue immediately, but nothing happened.
There are only two possibilities.Either the officials did not understand the scope of the security breach, or they did not have time to look into the problem? The security flaw, which would soon turn out to be a feature to print money, therefore remained in place.
On February 2, 2022, Wormhole released a publicly available security patch for a future update and less than nine hours later the attack took place.
Jeff Galloway summarized the event as follows:
“Lack of communication, failure to react to critical issues, and human error enabled this high-impact attack that originated in the Solana code.”
Could the attack have been avoided?
The course of this incident clearly shows that there would have been different possibilities for intervention.But instead, it seems to have been consciously accepted that months go by without anything being done.
An estimate confirmed by Jeff Galloway:
“If anyone (Solana, Wormhole or whatever) had followed at any point in this process, between October 12, 2021 and February 2, 2022, the baseline security guidelines for responding to a critical security issue, this attack would not have happened”.
But if one thinks that the whole story is thus told, one is seriously mistaken.
It is normal for security vulnerabilities to appear when creating a platform.
But if they are not filled when they are known, then it is human error.A problem so frequent that it should have been taken into account during development.
But the immense pressure of development, which follows purely economic interests, has prevented it.
Jeff Galloway told Investing.com about this:
“If Wormhole had been designed as a redundant backup system and not as a vulnerability, this attack would not have occurred even if the attackers had knowledge of the security flaw.
If Wormhole had a public testnet, that in turn would have enforced proper security measures and most likely prevented the attack.”
If Jeff Galloway knows exactly what he’s talking about, it’s because he’s involved in the development of a bridge – SafeBridge.The platform that will serve as the starting point for the growing ecosystem on the SafeCoin blockchain.
It includes redundant security checks that ensure that every transaction complies with the basic consensus rules of all the chains involved.And there is also a public testnet.
All things Wormhole lacks that are long past theory.
The SafeBridge has already been released on a public testnet and can be thoroughly tested by anyone.
Regarding the development of SafeBridge, Galloway explained:
“Every blockchain bridge should be built to withstand the most dangerous security threat there is: human error.
In the case of a bridge between several projects, this can only be achieved by redundant security, using the most reliable checks of each blockchain.This is exactly what we are developing.To my knowledge, we are the first in this field.
We still hope to set up a public wormhole test network.But, in the meantime, the community is happy to use and test our network for free.”
The exact operation of the SafeBridge can be seen on the graph above.In principle, it shows how each bridge works.The areas marked in green, on the other hand, are extensions that only the SafeBridge has.
To make it easier to understand, we asked Jeff Galloway if he could provide us with an example.He showed his sense of humor here by describing the function using the Wormhole attack.
Wormhole: transfer of 127,000 ETH from Solana to Ethereum:
Smart Contract on Solana checks: “Sounds good to me!”
Wormhole asks, “Is everyone okay?” The Guardians respond, “Yes, of course! If the Smart Contract says everything is fine, it must be fine!”
Wormhole: “Ok Ethereum, here is 127,000 ETH”.
Ethereum: “Thank you very much!”
SafeBridge: Transfer of 127,000 ETH from Solana to Ethereum:
Smart Contract on Solana checks: “Sounds good to me!”
SafeBridge: “Great! Hey Ethereum, just to be sure, did these people just deposit 127,000 ETH?”
Ethereum: “Excuse me? No, they only deposited 0.1 ETH”.
SafeBridge: “A payment is not possible at the moment”.
So ultimately it remains to be seen that the disaster was entirely homemade – the result of human error and a lack of technical know-how.
To be fair, it must be said that this is not an isolated case.The pressure of developing commercial projects is such that new features for users take priority over security aspects.
But this does not improve the situation, quite the contrary.
In a world of networked blockchains, where DeFi protocols execute automated transactions with each other, the likelihood of a super disaster increases.
If a critical amount of capital disappears in one place, the whole house of cards can collapse, like the bankruptcy of Lehmann Brothers, which triggered a global financial crisis in 2008.
This look behind the scenes was therefore all the more important.Many thanks to Jeff Galloway from SafeCoin, who gave us his precious time to give us a complete overview of the situation.
For completeness, here is the official reaction from Jump Crypto, the owner of Wormhole.
“Today I’m damn proud of everyone on the Jump and Wormhole team.They showed incredible perseverance and energy in an extremely difficult situation.”
“Jump has invested 120k of its own ETH because we believe in Wormhole and want to support it in this phase of its development.”
By Marco Oehrl.
