The Wormhole Hack: How X-Ray Detects the Vulnerability Automatically
February 3, 2022

Recently, an attacker was able to steal more than $320 million from Wormhole, a popular bridge linking Solana and Ethereum.

The root cause lies in a bug in verify_signatures of the Wormhole bridge code:

(1) it did not validate an input account and

(2) it used an unsafe and deprecated Solana API to parse the account.

If wormhole had avoided either (1) or (2) above, the attack would have been avoided.

For (1), we will elaborate it in Section “premium version” in the second half of this article (also see a detailed analysis by samczsun and the bug fix).

For (2), the API load_instruction_at provided in solana_program::sysvar::instructions does not check validity of accs.instruction_acc.

Therefore, the attacker could supply a faked account to do verify_signatures. The code diff for the fixes are shown below:

The fix for missing sysvar check in branch sec/instructions-fix
1*K16y6tOClhR5fgINuEKsoA.png (2400×1121)
The fix for using safe checked API in branch dev.v2
1*rfHDwTwIWUEruePexk-T2Q.png (1948×926)
The wormhole vulnerability (on commit: 79ab522f) detected by X-Ray premium

X-Ray in action

We next demonstrate how X-Ray automatically detects the vulnerabilities for both (1) and (2).

Note: X-Ray had not scanned Wormhole before the attack.

Check out wormhole from github:

git checkout
cd wormhole/solana/bridge/program/

Checkout the vulnerable version before the fix:

git checkout 79ab522f802ccc5ba34278d3c648fa62e06f4f1c

Or check out the dev.v1 branch (the original deployed code):

git checkout dev.v1

Run X-Ray:

export EMITTER_ADDRESS=0 && soteria -analyzeAll .

Note: EMITTER_ADDRESS is a build config used by Wormhole bridge.

X-Ray detection results

In a few seconds, X-Ray detects the vulnerability (2) and also several others that use these unsafe APIs:

1*yV4cbXZtwvGdgQTiZUtK3A.png (2400×709)
solana_program::sysvar::instructions::load_instruction_at is unsafe and deprecated
solana_program::sysvar::instructions::load_current_index is unsafe and deprecated
1*AA9-7SSRDPoVld1itN0zyA.png (2400×744)
1*TCpMM6ai9gfC-M_V69fjYg.png (2400×744)

In total, X-Ray detects four vulnerabilities:

How to install X-Ray (free version)

Option 1 (Linux terminal)

sh -c "$(curl -k"

Option 2 (Docker)

docker run -v $PWD/jet-v1/:/workspace -it greencorelab/soteria:latest /bin/bash

For more detail, please follow this blog.

X-Ray auto-audit pilot program (premium version)

sec3 has recently launched a pilot program for customers to use a premium version of X-Ray audit scanner.

If the premium X-Ray Auto Auditor had chance to scan Wormhole bridge code, the attack would have been avoided.

The premium version is an under-development internal tool used by sec3 core team for in-house auditing. It uses advanced algorithms that are much more comprehensive and powerful than the free version, and also provides more production features such as UI reporting.

Importantly, the premium version covers a lot more vulnerabilities (25+ types of Solana-specific security vulnerabilities, including both (1) and (2) vulnerabilities in wormhole) compared to the publicly available free version.

The following shows the wormhole vulnerability (1) reported by the premium tool on the version (commit: 79ab522f) right before the fixes :

1*rfHDwTwIWUEruePexk-T2Q.png (1948×926)
The wormhole vulnerability (on commit: 79ab522f) detected by X-Ray premium
1*hedwBLVLwQhqhDX4KsLmqw.png (1314×776)
The Wormhole vulnerability detected by X-Ray premium tool

sec3 security and audit services

sec3 (formerly Soteria) is founded by leading minds in the fields of blockchain security and software verification.

sec3 has recently launched a pilot program for customers to use an advanced version of X-Ray audit scanner, which covers a lot more vulnerabilities.

We are also pleased to provide audit services to high-impact Dapps on Solana.

Please visit or email