What Your Organization Can Learn From the $324 Million Wormhole Blockchain Hack

The hacker who got away with millions through the Wormhole blockchain bridge service has exploited an incredibly common coding error that could lurk in anyone’s software.

Image: Tiger Strawberry, iStock/Getty Images

Those who follow the tech world have probably heard of the recent Wormhole blockchain bridge service hack that accounted for the fourth largest crypto theft, and the second-largest De-Fi heist ever. The attacker who found the exploit created 120,000 Ethereum out of thin air and walked away with around $324 million.

Basically, Wormhole is a service that allows users to exchange cryptocurrencies across blockchains, much like exchanging one fiat currency for another. In this particular case, the attacker exploited Wormhole in such a way that he was able to trick it into minting 120,000 wrapped ethereum (wETH, a token equivalent to a 1:1 value that represents ethereum) on the blockchain Solana, most of which the attacker later moved to the Ethereum blockchain.

Unfortunately for Wormhole, all that wETH created by an exploit had to steal value somewhere, and it came from Wormhole’s Ethereum store which allows it to save all the wETH on its network.

SEE: Metaverse Cheat Sheet: Everything You Need to Know (Free PDF) (TechRepublic)

With these funds missing, Wormhole was unable to say that its network was able to support transactions involving Ethereum. He closed to assess the problem, and without any recourse to recover his stolen funds, Wormhole actually implore the aggressor to return the stolen ethereum in exchange for a $10 million bug bounty.

The attacker has yet to accept the offer, and Wormhole was only able to restore his missing crypto thanks to the generosity of another crypto investment organization called Jump Trading, which said of his charitable donations that “we replaced 120k ETH to make community members whole and support Wormhole now as it continues to grow.

A lesson for everyone: Validate your entry

Lost funds, charitable donations, and overall disaster (in a long line of crypto disasters) aside, this is the Wormhole hack; ignoring the complexity of blockchains, let alone cross-blockchain technology; and aside from the unstable value and environmental impact of crypto, there is one lesson to be learned from this attack that unfortunately has not yet been taken to heart: validate your entry.

According to security researchers who quickly took to Twitter with their findingsthe exploit that allowed the attacker to withdraw 120,000 ETH from ether was due to Wormhole not properly validating what it calls “custodial accounts,” which are considered more secure than crypto accounts. ordinary users.

By using a series of blockchain transactions to insert fake credentials, the attacker was able to trick Wormhole into extracting sysvar instructions from fake instructions they had created during Wormhole’s signature verification process. In short, the attacker exploited the fact that Wormhole failed to properly validate accounts, giving the attacker the ability to insert their own bogus commands that looked like they had the power to mint ethereum.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

Roger Grimes, a data-driven defense evangelist for KnowBe4, said the programming error Wormhole made was quite common, but serious nonetheless. “The function inside multiple nested smart contracts that was supposed to verify the signature was not coded to ensure that the integrity check took place. Thus, there was no guaranteed integrity in the check integrity. Yeah, that’s a problem,” Grimes said.

Secure Development Lifecycle (SDL) coding should be standard practice for everyone, Grimes said. Unfortunately, “most developers and smart contact creators aren’t trained in SDL and receive little or no training in secure development,” Grimes said. The end result of this training shortage is that more code with more exploits (many common and easily exploitable) appear in the wild.

The cryptocurrency world, Grimes warns, “is an immature industry using immature code, moving at lightning speed.” Combine that with trillions of dollars in value and you have the perfect recipe for theft and fraud. Mix in a community that recoils from the idea of ​​regulation and you have the perfect environment for crimes like the Wormhole hack, which made an individual attacker rich for very little risk.

Grimes said there are lessons to be learned from the Wormhole hack, but he doesn’t seem convinced those lessons will be taken to heart. “You always hope that when the next cool digital thing happens, we better apply the security lessons learned from previous platforms. But we always seem to want there to be more digital blood in the field than there is. We want to always, again and again, learn the hard way,” Grimes said.

Take this news as a sign to examine your own systems. You may not be personally responsible for software that moves billions of dollars, but someone will suffer a loss when a breach inevitably occurs, and you could avoid being that victim with a little proactive security work.

Comments are closed.