August 17, 2022

What your organization can learn from the $324 million Wormhole blockchain hack

The hacker that made off with millions from blockchain bridge service Wormhole exploited an incredibly common coding error that could be lurking in anyone’s software.

Image: tigerstrawberry, iStock/Getty Images

Those following the tech world have probably heard about the recent hack of blockchain bridging service Wormhole that has amounted to the fourth-largest crypto theft, and second-largest De-Fi theft, ever. The attacker who found the exploit created 120,000 Ethereum out of nothing, and made off with about $324 million of it.

For background, Wormhole is a service that lets users exchange cryptocurrencies across blockchains, sort of like swapping one fiat currency for another. In this particular case, the attacker exploited Wormhole in such a way that they were able to trick it into minting 120,000 wrapped ethereum (wETH, a 1:1 value equivalent token that represents ethereum) on the Solana blockchain, most of which the attacker then moved to the ethereum blockchain.

Unfortunately for Wormhole, all of that exploit-created wETH had to steal value from somewhere, and it came from Wormhole’s store of ethereum that lets it back all the wETH on its network.

SEE: Metaverse cheat sheet: Everything you need to know (free PDF) (TechRepublic)

With those funds missing, Wormhole was unable to say that its network was able to back transactions involving ethereum. It shut down to assess the problem, and with no recourse to recover its stolen funds Wormhole took to actually pleading with the attacker to return the stolen ethereum in exchange for a $10 million bug bounty.

The attacker has yet to accept the offer, and Wormhole was only able to restore its missing crypto thanks to the generosity of another crypto investment organization called Jump Trading, which said of its charitable giving that “we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.”

A lesson for everyone: Validate your input

Setting aside the lost funds, charitable giving and overall catastrophe (in a long run of crypto catastrophes) that is the Wormhole hack; ignoring the complexity that is blockchains, to say nothing of cross-blockchain technology; and setting aside the unstable value and environmental impact of crypto, there’s a lesson to be learned from this attack that has, unfortunately, yet to be taken to heart: Validate your input.

According to security researchers who quickly took to Twitter with their findings, the exploit that allowed the attacker to pull 120,000 ETH out of the … ether was because Wormhole wasn’t properly validating what it calls “guardian accounts,” which are considered more secure than regular user accounts.

Using a series of blockchain transactions to insert fake credentials, the attacker was able to fool Wormhole into pulling sysvar instructions from fake ones they had created during Wormhole’s signature verification process. In short, the attacker exploited the fact that Wormhole didn’t properly validate the accounts, giving the attacker the chance to insert their own fake commands that made it appear as if they had the authority to mint ethereum.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Roger Grimes, a data-driven defense evangelist for KnowBe4, said that the programming error Wormhole made was rather common, but serious nonetheless. “The function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened. So, there was no integrity guaranteed in the integrity check. Yeah, that is a problem,” Grimes said.

Secure development lifecycle (SDL) coding should be standard practice for everyone, Grimes said. Unfortunately, “most developers and smart contact creators aren’t trained in SDL and get little to no training in secure development,” Grimes said. The end result of that training shortage is that more code with more exploits (many common and easily exploited) appear in the wild.

The cryptocurrency world, Grimes warns, “is an immature industry using immature code, moving ahead at warp speed.” Combine that with trillions of dollars in value and you have the perfect recipe for theft and fraud. Toss in a community that recoils at the thought of regulation and you have the perfect environment for crimes like the Wormhole hack, which enriched an individual attacker for very little risk.

Grimes said that there are lessons to be learned from the Wormhole hack, but he doesn’t seem confident that those lessons will be taken to heart. “You always hope that when the next cool digital thing happens that we will better apply the security lessons learned from the previous platforms. But we always seem to want there to be more digital blood on the ground than there needs to be. We always, over and over, want to learn the hard way,” Grimes said.

Take this news as a sign to look at your own systems. You may not be personally responsible for software that moves billions of dollars, but someone will suffer a loss when a breach inevitably occurs, and you could avoid being that victim through a bit of proactive security work.

What your organization can learn from the $324 million Wormhole blockchain hack