Investing.com – The Wormhole Bridge hack, to which it’s connected, was one of the network’s darkest hours to date.
In the worst case, it could be a real disaster that would shake the foundations of the entire crypto world. Only immediate compensation for the damage inflicted, amounting to 120,000 ether, prevented entire ecosystems from collapsing like a house of cards.
In order to understand what happened and imagine what could happen, we need to take a detailed look at what Wormhole is and exactly how the platform works.
What is a wormhole actually?
A wormhole is a so-called bridge that has only one function: to connect different block chains together. Thanks to this connection, it is possible to carry out transactions between different blockchains by themselves.
If you own Ethereum and want to participate in the Solana project, you previously had to convert Ether to SOL via exchange, which was complicated. This approach is no longer necessary when a bridge such as a wormhole is used. You deposit ETH on one side and get WETH compatible with Solana on the other, in a 1:1 ratio.
It is precisely this pattern of work between Ethereum and Solana that the hackers exploited. The plan was to exploit a series of unfortunate circumstances, to say the least. By imposing the line, one could say that the stupidity of the various people involved should be turned into cold hard money.
How did the attack happen?
As early as October 12, Solana noticed a security breach. But instead of taking direct action and notifying Wormhole of the situation, the developers bundled the fix into a regular update that was supposed to ship with version 1.9.4.
They mistakenly believed that no one would discover the security flaw, even though the code was publicly available. At the time, it was possible for anyone with advanced software knowledge to identify and exploit the vulnerability. Officials simply failed to patch the vulnerability with a hotfix.
Jeff Galloway, a blockchain expert and founder of the SafeCoin blockchain for the Solana community, said the following in an interview with Investing.com:
“Hiding important security fixes in public updates that were not immediately implemented is a very unfortunate and very careless tactic. Once the bug became known, Wormhole was supposed to immediately release an emergency update.”
The fact that the security breach was known at the Solana website is an indisputable fact. This is publicly logged as “Not secure because Sysvar accounts address has not been checked, please use ‘load_instruction_at_checked’ instead”.
Jeff Galloway commented on this startling incident as follows:
“Solana released an update on October 12, 2021 that clearly shows that there was a vulnerability. But the faulty code was not removed, Wormhole received no notification and no emergency update was made. The unsecured functionality was simply the subject of a visible notice to everyone.”
So it is clear that Solana has known about the security breach for months and did absolutely nothing. It remains to be seen how many officials learned about it and why we preferred to sit rather than work.
Ethereum had a similar problem
Anyway, this is not a common practice. As Windows users, we’ve certainly been used to living with vulnerabilities over the past few decades, but we also don’t do hundreds of millions of dollars in transactions.
Last year, Ethereum provided a great example of how to do it right. A similar critical bug was detected in the Ethereum Virtual Machine (EVM), but the reaction was immediate and a hard fork was put in place.
The wormhole ignores the security flaw
After Solana went out of business, the developers of Wormhole noticed the vulnerability on January 11, 2022. Again, there was an opportunity to immediately fix the problem, but nothing happened.
There are only two possibilities. As for the officials, they did not understand the extent of the security breach, or did they not have the time to look into the problem? So the security flaw, which would soon become a feature for printing money, remained in place.
On February 2, 2022, Wormhole released a publicly available security patch for a future update and less than nine hours after the attack occurred.
Jeff Galloway summed up the event as follows:
“A lack of communication, failure to respond to critical issues, and human error enabled this high impact attack originating in Solana’s blade.”
Could the attack have been avoided?
The course of this incident clearly shows that there were various possibilities for intervention. But instead, it seems to have been consciously accepted that months pass without doing anything.
An estimate confirmed by Jeff Galloway:
“If at any point in this process, between October 12, 2021 and February 2, 2022, anyone (Solana, Wormhole, or something else) had followed the Basic Security Guidelines for responding to a serious security issue, this attack would not have happened.”
But if one thinks that the whole story has been told in this way, one is seriously mistaken.
It is normal for security vulnerabilities to appear when creating a platform. But if it wasn’t filled in when it was known, it’s human error. A problem so frequent that it had to be taken into account during development.
But the massive pressure of development, which follows purely economic interests, prevented this.
Jeff Galloway told Investing.com about this:
“If Wormhole was designed as a redundant backup system rather than a vulnerability, this attack would not occur even if the attackers were aware of the vulnerability.
If Wormhole had a public test network, this would in turn enforce appropriate security measures and potentially prevent an attack.”
If Jeff Galloway knows exactly what he’s talking about, it’s because he was involved in developing SafeBridge. The platform that will serve as a springboard for the growing ecosystem on the SafeCoin blockchain.
It includes redundant security checks that ensure that every transaction complies with basic consensus rules for all the threads involved. There is also a public test network. All the things Wormhole lacks is the long past theory.
SafeBridge has already been released on a public test network and anyone can test it thoroughly.
Regarding SafeBridge development, Galloway explained:
“Every blockchain bridge must be built to withstand the most serious security threat that exists: human error.
In the case of a bridge between several projects, this can only be achieved through increased security, using the most reliable validations for each blockchain. This is exactly what we are developing. As far as I know, we are the first in this field.
We still hope to create a public wormhole test network. But in the meantime, the community is happy to use and test our network for free. “
The exact operation of SafeBridge can be seen on the chart above. In principle, it shows how each bridge works. On the other hand, the areas marked in green are extensions that only SafeBridge owns.
To make it easier to understand, we asked Jeff Galloway if he could provide us with an example. Show your sense of humor here with the job description using a hole punch.
Wormhole: Transfer of 127,000 ETH from Solana to Ethereum:
Smart Contract on Solana Verifications: “It sounds good to me!”
The holeshot asks, “Is everyone okay?” The Guardians responded, “Yes, of course! If the smart contract says all is well, it should be OK!”
Wormhole: “Ok Ethereum, here is 127,000 ETH.”
Ethereum: “Thank you very much!”
SafeBridge: Transfer 127,000 ETH from Solana to Ethereum:
Smart Contract on Solana Verifications: “It sounds good to me!”
SafeBridge: “Wow! Hey Ethereum, just to make sure, did these people deposit 127,000 ETH?”
Ethereum: “Sorry? No, they only deposited 0.1 ETH.”
SafeBridge: Payment is not currently possible.
So in the end, it remains to be seen that the disaster was entirely homemade – the result of human error and a lack of technical knowledge.
To be fair, it must be said that this is not an isolated case. The stress of business development is that new features for users take precedence over security aspects.
But this does not improve the situation, quite the contrary. In a world of networked blockchains, where DeFi protocols implement automated transactions with each other, the potential for a major catastrophe increases.
If a large amount of capital disappears in one place, the entire house of cards could collapse, like the bankruptcy of Lehman Brothers, which caused a global financial crisis in 2008.
So this behind-the-scenes look was even more important. Many thanks to Jeff Galloway of SafeCoin, who gave us his valuable time to give us a complete overview of the situation.
For completeness, here’s the official reaction from Jump Crypto, Wormhole owner.
“Today I am proud of everyone on the Jump and Wormhole team. They have shown incredible perseverance and energy in a very difficult situation.”
“Jump invested 120K in its ETH because we believe in the wormhole and want to support it at this point in its development.”
By Marco Uhrl