Recently, an attacker was able to steal more than $320 million from Wormhole, a popular bridge linking Solana and Ethereum.
The root cause lies in a bug in verify_signatures of the Wormhole bridge code:
(1) it did not validate an input account and
(2) it used an unsafe and deprecated Solana API to parse the account.
If wormhole had avoided either (1) or (2) above, the attack would have been avoided.
For (1), we will elaborate it in Section “premium version” in the second half of this article (also see a detailed analysis by samczsun and the bug fix).
For (2), the API load_instruction_at provided in solana_program::sysvar::instructions does not check validity of accs.instruction_acc.
Therefore, the attacker could supply a faked account to do verify_signatures. The code diff for the fixes are shown below:
We next demonstrate how X-Ray automatically detects the vulnerabilities for both (1) and (2).
Note: X-Ray had not scanned Wormhole before the attack.
Check out wormhole from github:
Checkout the vulnerable version before the fix:
Or check out the dev.v1 branch (the original deployed code):
Run X-Ray:
Note: EMITTER_ADDRESS is a build config used by Wormhole bridge.
In a few seconds, X-Ray detects the vulnerability (2) and also several others that use these unsafe APIs:
In total, X-Ray detects four vulnerabilities:
Option 1 (Linux terminal)
Option 2 (Docker)
For more detail, please follow this blog.
sec3 has recently launched a pilot program for customers to use a premium version of X-Ray audit scanner.
If the premium X-Ray Auto Auditor had chance to scan Wormhole bridge code, the attack would have been avoided.
The premium version is an under-development internal tool used by sec3 core team for in-house auditing. It uses advanced algorithms that are much more comprehensive and powerful than the free version, and also provides more production features such as UI reporting.
Importantly, the premium version covers a lot more vulnerabilities (25+ types of Solana-specific security vulnerabilities, including both (1) and (2) vulnerabilities in wormhole) compared to the publicly available free version.
The following shows the wormhole vulnerability (1) reported by the premium tool on the version (commit: 79ab522f) right before the fixes :
sec3 (formerly Soteria) is founded by leading minds in the fields of blockchain security and software verification.
sec3 has recently launched a pilot program for customers to use an advanced version of X-Ray audit scanner, which covers a lot more vulnerabilities.
We are also pleased to provide audit services to high-impact Dapps on Solana.
Please visit sec3.dev or email contact@sec3.dev