smartcontracts.eth
@kelvinfichter
Followers
34K
Following
210
Media
299
Statuses
7K
Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here's how it happened.
388
3K
13K
Welp. @Ronin_Network is now on top of the crypto hack leaderboard. $625 MILLION dollars worth of ETH and USDC just got stolen from the Ronin bridge. Here's how it happened.
79
530
2K
Another "crypto hack made simple" thread for ya. @BeanstalkFarms, a DeFi protocol, was just exploited for about $75m worth of Ether (~25k ETH). Here's how the heist went down.
66
368
2K
Last weekend an attacker was able to gain control of the Optimism addresses that correspond to various Gnosis Safe multisigs on Ethereum that had not yet been deployed to Optimism. A quick thread on security in the multi-chain world ~~.
36
319
1K
It's interesting that this commit was made ~9 hours ago and the exploit happened a few hours after that. Possible that an attacker was keeping an eye on the repository and looking out for suspicious commits.
35
49
1K
Here's the transaction which finalized a majority of the exploit. 80k ETH pulled out of the Wormhole contract on Ethereum in a single transaction:
3
45
611
Fine, I'm finally doing it. It's time to open-source the Eth2 book, a free resource for understanding the future of Ethereum (in depth):
14
151
616
Using this "fake" system program, the attacker could effectively lie about the fact that the signature check program was executed. The signatures weren't being checked at all!.
8
32
580
And one withdrawal of 80k ETH + 10k ETH later (everything in the bridge on Ethereum), everything was gone.
12
17
568
After that point, it was game over. The attacker made it look like the guardians had signed off on a 120k deposit into Wormhole on Solana, even though they hadn't. All the attacker needed to do now was to make their "play" money real by withdrawing it back to Ethereum.
7
28
565
Wormhole is a "bridge" -- basically a way to move crypto assets between different blockchains. Specifically, Wormhole has a set of "guardians" that sign off on transfers between chains. It's a little more complicated than that in practice, but that's the general idea.
4
25
554
One sec loading up my next tweets. hold your horses.
11
2
552
The first breakthrough came from this transaction on Solana which somehow minted 120k "Wormhole ETH" out of nowhere:
5
30
538
That explains part of it! The attacker was able to mint Wormhole ETH on Solana, so they were able to correctly withdraw it back to Ethereum. Now we just need to figure out how the attacker was able to mint this Wormhole ETH on Solana. .
4
18
521
Although it's dramatic, this transaction is just the very end of an interesting series of events. I had to start working my way backwards to figure out how this was even possible.
2
10
505
Alright, here's where we start getting into the weeds of Solana. This is the first time I've ever looked at Solana contracts so it took me a while to get my bearings, but I think I finally get what's going on.
1
13
503
The transaction that pulled out 80k ETH was actually the attacker transferring 80k ETH from Solana to Ethereum. I originally thought that the contract might've incorrectly validated the signatures on the transfer, but the signatures completely checked out.
2
15
477
The Wormhole "guardians" had somehow signed off on this 80k ETH transfer as if it were 100% legit. How was that possible?.
2
15
442
The next interesting piece of information is this Solana transaction that came right before the 120k ETH one, where 0.1 Wormhole ETH was minted on Solana:
2
13
430
For your entertainment, here's a thread about the future of @optimismFND, the upcoming Bedrock upgrade, Rollup decentralization, and ZK. Bedrock is a Rollup client, not an Optimistic Rollup client 😉. Enjoy the spice. 🌈.
14
116
405
It doesn't really matter if you understand the fancy code, the most important thing here is that post_vaa checks if the message is valid by checking the signatures from the guardians. That part seems reasonable enough. But it's this signature checking step that broke everything.
2
17
427
The transactions that minted Wormhole ETH on Solana were triggering this Wormhole function "complete_wrapped":
2
18
409
Of course, the attacker definitely did not make a 120k ETH deposit into Wormhole on Ethereum. But there's something interesting about this deposit. It definitely has something to do with the attack, but what?.
1
6
395
Whew. Long day. Optimism has now been sustaining >10tps for the last several hours, approximately on par with Ethereum, without any problems on the Sequencer side. Still a long way to go, but it's amazing that we're here considering L2s barely existed a year ago.
14
45
387
If we take a look at the attacker's transaction history on Ethereum, we end up seeing that the attacker *did* make a deposit of 0.1 ETH *into* Solana from Ethereum:
3
8
396
The load_instruction_at function was deprecated relatively recently because it *does not check that it's executing against the actual system address*!
7
24
395
The only crypto strategy is to buy ETH and fucking hold it.
27
25
360
Alright let's keep going. "post_vaa" doesn't actually check the signatures. Instead, in typical Solana fashion, there's another smart contract which gets created by calling the "verify_signatures" function.
2
7
364
Solana is kinda weird, so these parameters are actually smart contracts themselves. But the important thing is how these "transfer message" contracts get created. Here's the transaction that made the 0.1 ETH transfer message:
1
12
349
One of the parameters that this function takes is a "transfer message", basically a message signed by the guardians that says which token to mint and how much:
1
5
351
Blobs just went live and you can send any amount of ETH on @Optimism OP Mainnet anywhere in the world right now for less than $0.001. Meanwhile, it costs $4-$12 to send $200 from the US to the Philippines with Western Union. Crypto is scaling.
11
60
341
But here's the "verify_signatures" transaction for the fake deposit of 120k ETH
6
16
339
Introducing NFT mirroring: mirror your Optimism NFTs on Ethereum so you can display them on apps like Twitter. Dropping exclusively on Optimism soon(tm). Check out my PFP if you want a sneak peek 👀
29
70
294
Oh, and in case you missed it, the team over at @OPLabsPBC is shipping permissionless fault proofs to OP Sepolia in 6 days. 🥱.
18
49
331
A commit was made ~9 hours ago replacing usage of load_instruction_at with load_instruction_at_checked, which actually confirms that the program being executed is the system program:
3
14
318
This "transfer message" contract is created by triggering a function called "post_vaa":
1
5
310
10 ETH bet that there won't be any zk-rollups that can support ethereum smart contracts without a custom compiler by the end of 2023.
50
20
294
This verification function is a built-in tool that's supposed to verify that the given signatures are correct. So the signature verification has been outsourced to this program. But here's where the bug comes in.
1
13
304
One of the inputs to the "verify_signatures" function is a Solana built-in "system" program which contains various utilities the contract can use:
2
7
298
Ok I'm officially tired of the fact that Ethereum's primary platform for communication is Twitter, a website designed to incentivize hot takes and dunks. I threw together an experimental forum instead.
48
24
300
Here's that system address being used as the input for the "verify_signatures" for the legit deposit of 0.1 ETH
2
7
285
Within "verify_signatures", the Wormhole program attempts to check that the thing that happened right before this function was triggered was that the Secp256k1 signature verification function was executed:
3
8
279
The Wormhole contracts used the function load_instruction_at to check that the Secp256k1 function was called first:
1
6
274
.@liamihorne dropped the wildest ethereum pro tip I somehow never thought of, use a 1 of 1 multisig so you can rotate keys without changing your address 🤷♀️.
28
30
266
This is very different from previous bridge hacks where the root cause was a smart contract bug. This is a much more "classical" hack of private keys in a multi-key security setup. This is why trust-minimized bridging is SO important.
4
27
264
You're supposed to provide the system address as the program you're executing here (it's the third-to-last program input):
1
4
261
Looks like it was probably an exploit on the Solana side, not on the Ethereum side. See the following transaction where 120k Wormhole ETH was minted on Solana:
7
74
251
Wormhole reports that the exploit has been patched
The vulnerability has been patched. We are working to get the network back up as soon as possible.
1
9
248
As another commenter has noted, it could also be that the attacker knew about the bug in advance and was forced into exploiting the bug because the patch was being rolled out. Seems hard to construct this attack within ~2 hours so could be a possibility here.
14
4
249
Etherscan as a source of truth is a systemic risk. I love Etherscan as much as anyone else but we really need more competitors in the block explorer space.
15
19
249
The OP Stack is about to make Ethereum contract development crazy again. Hard to explain until you've seen it. It's just stupid how powerful this thing is. The idea of getting CSR on Optimism Mainnet was what really got me. (quik thred).
𝗖𝗼𝗻𝘁𝗿𝗮𝗰𝘁 𝗦𝗲𝗰𝘂𝗿𝗲𝗱 𝗥𝗲𝘃𝗲𝗻𝘂𝗲 for🔴Optimism Builders,.or: .How @CantoPublic's idea ended up on @optimismFND thanks to @BanklessHQ and @EthernautDAO. 🧵👇 (1/10).
12
43
235
@VitalikButerin Actual question: what does a unit of gas represent? Gas is multi-dimensional (storage, compute, bandwidth pricing). Why don't we have different types of gas for each resource type? And how does one think about the meaning of one unit of gas in this current context?.
13
8
228
I'm going to do a Twitch stream series where I dive into the architecture of zkEVMs (looking at code, not theory). Does anyone from @0xPolygonHermez @Scroll_ZKP @zksync want to hop on a stream sometime soon to go over their respective codebases?.
15
16
223
This suggests that Ronin had minimal monitoring and alerting in place. Alerting on bridge balance dropping below a certain value seems obvious. People should've been getting annoying opsgenie calls at 2am for this.
2
5
211
Also, the hack happened SIX days ago and no one noticed until a user tried to withdraw:
4
12
206
This is why client diversity is SO IMPORTANT and why the Ethereum community has been shouting loudly about client diversity in preparation for the Merge. This event likely would've been prevented if there were at least 3 client implementations.
1
17
197
Arbitrum has acquired Prysmatic Labs, the maintainer of the most widely used Ethereum consensus client. In exchange for cash, Arbitrum has put itself in the position of a "core Ethereum maintainer" and now has Arbitrum engineers in a central part of the Ethereum dev process.
We’re extremely happy to announce that we (@OffchainLabs) are acquiring @prylabs, the team behind Ethereum's leading consensus client!. Let’s dive into details!🧵👇.
14
28
195
Let's look at some early lessons. I think the most fundamental error here was the reliance on validator-based bridges. The Ronin Bridge has a fundamental assumption that a majority of keys cannot be compromised. Clearly this assumption was broken.
4
14
191
How do we prevent this sort of compromise? It's an annoying engineering problem. First, it seems clear that no single entity should be running a significant number of nodes. I find it problematic that Sky Mavis was running 4/9 nodes.
5
5
185
I used the following tools for this analysis:. These are usually my go-to tools, I highly recommend them to anyone looking to analyze hacks like this.
4
13
185
ok ok not trying to be combative but does it strike anyone else as a potential conflict of interest to simultaneously be EF director and operating a VC firm.
After many months of thoughtful conversations, I am pleased to share that @ergokhaner and @NethermindEth are launching Lantern Capital, an early-stage venture capital firm.
18
5
194
TL;DR older version of Solana standard lib doesn't check stuff properly, contract doesn't get upgraded to latest version, bye bye $300m.
Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here's how it happened.
5
33
180
Man I love deploying to Optimism. Feels like Ethereum in 2016 back when I could actually afford to deploy stuff and experiment with things. Can get way more creative with my contracts. One of the under-appreciated things about L2.
4
6
177
Why are you still using a single hardware wallet instead of a 2-of-2 multisig with hardware + key on a mobile device as 2FA.
28
20
175
It looks like 5 of the keys were compromised via a backdoor in the Ronin bridge node. It's unclear exactly how the backdoor worked, I'm going to keep investigating to see what's up.
5
14
169
> Ethereum uses Twitter as its primary coordination platform .> Twitter incentivizes ragebait and arguments.> Eth Twitter constantly consumed by ragebait and arguments.> Surprisedpikachu.jpeg.
14
16
178
Discovering the hack almost a week after it happened is a bad look, especially for something as easy to monitor as the bridge balance (there are much more subtle attacks out there that would be hard to monitor for).
1
8
162
It looks like the Ronin hack was quite different from previous bridge hacks. The Ronin bridge is a 5-of-9 validator bridge, meaning the funds are secured by a set of 9 secret keys, any 5 of which can be used to move money around.
1
9
153
Third day of record transactions on Optimism. Wild.
5
11
161
Optimism ecosystem has various open protocol projects for the OP Stack. If you're interested in working on the cutting edge of crypto, building open source software, and being rewarded for your work via RetroPGF, DM me and I'll find you the perfect project.
8
30
158
Once 5 of the keys were compromised, the attacker could basically just take all of the money out of the bridge without a problem. Bye bye $625m.
2
6
150
Crypto has slowly been losing sight of its vision. In some way the "builder" class is a part of this -- lots of people coming into crypto for the cool tech and not the social reality that the tech can enable. Crypto is going to have to fight for its vision.
14
21
150
It's clear: THE FUTURE IS SUPERCHAIN. @coinbase is joining @optimismFND on the journey towards the vision of a UNIFIED network of L2s: the Superchain. Here's what's up with the Superchain and how you can get involved **today** 👀.
1/ 🔵 We’re excited to announce @BuildOnBase. Base is an Ethereum L2 that offers a secure, low-cost, developer-friendly way for anyone, anywhere, to build decentralized apps. Our goal with Base is to make onchain the next online and onboard 1B+ users into the cryptoeconomy.
7
26
157
We all know Optimistic Rollups need to build fault proofs. But did you know there are actually four different levels of fault proofs? 👀👀 A behind-the-scenes thread on the truth behind Optimistic Rollup proof systems 🔴✨.
5
23
154
Exciting news, my zkEVM stream series starts tomorrow!. I'll be streaming with @0xPolygonHermez and diving deep into their zkEVM codebase. It'll be a fluid Q&A where I'll be trying to understand the codebase on the fly. Join me @ 10:30am EST over at
7
25
148
I made a repo with simple instructions for how to run your very own Optimism node (it even comes with metrics!)
10
25
148
Congrats to the whitehat, but what an absolutely massive process and security failure on the part of Jump/Wormhole. You can't be forgetting to initialize proxies. You should have systems in place that do not allow you to forget to initialize proxies.
Whitehat satya0x reported a critical vulnerability in @wormholecrypto on Feb 24 via Immunefi. The bug was quickly patched, no user funds were affected, and satya0x received a $10 million payout from Wormhole, the largest bounty payout on record.
8
20
148
I really want to give a talk called "How Rollups **actually** work" that sketches out the proper mental models for thinking about Rollups.
15
4
144
oh my god
9684c022748fed2b3b076cde6000d1dc8301e508f19382e2b510f84aed260380.
8
8
135
We'll see what happens next. I'll keep digging into the exact exploit and report back if I find anything. Unfortunately, since this wasn't a smart contract bug, there's no public trace of the issue. Going to start examining Ronin's node software and see what I can find.
2
2
132
@FTX_Official As a side note, an interesting model for withdrawals that I've heard discussed before (I think via @ben_chain) is to introduce a withdrawal delay depending on the size of the withdrawal. In combo with alerts on large withdrawals, likely would've prevented this attack.
5
6
135
Optimistic rollups are way better than ZK rollups right now (like, it's not even a competition really) and will remain that way for at least 2-3 years. If you want to scale any time soon you should be looking at Optimistic over ZK. fite me, it's true.
12
20
133
It's funny how Ethereum turns a bunch of fintech startups that need months to build an MVP into weekend projects.
9
15
132
I don't know how the Ronin team operates internally, but if you're making an N-of-M validator bridge then you MUST have the engineering practices in place to be able to secure those validators.
1
6
127
Damn I can't believe the merge is really happening. Ethereum is sick, I couldn't imagine working on anything else.
7
4
127
Hot take: I think deflationary systems are kinda wack and it's frustrating that deflation is becoming a core Ethereum meme :-/ Deflation mainly really benefits the people who already have stacks to sit on.
18
9
127
OP Stack getting PUSH0 🫡.
Today we’re announcing the first post-Bedrock network upgrade for the Optimism ecosystem: Canyon!. Built and implemented in collaboration with @BuildonBase, this upgrade will hit Superchain testnets on Nov. 14th at 17:00 UTC.
6
56
93
But there's no reason why Bedrock can't use a ZK proof System instead 👀👀. We think Optimistic Rollups currently have massive advantages over their ZK counterparts, but Bedrock has been designed to make a seamless transition between Optimistic and ZK possible.
7
20
124
Oh, and OP Mainnet now supports PUSH0!.
The Canyon upgrade will be activating on OP Mainnet tomorrow, Jan. 11 at 17:00:01 UTC!. This is a reminder to upgrade your nodes—minimum versions are op-node v1.3.2 & op-geth v1.101304.2. Here is a handy upgrade guide:.
15
25
104
Lmao isn't this basically kind of an assassination market? If there were enough open interest, rescue workers could profit by sabotaging rescue efforts 😬.
23
8
126
So some basic takeaways for now:.1. Validator bridges can work IF you have the engineering practices to maintain your security assumptions. This is not trivial. 2. Trust-minimized bridges are harder to build up-front but can be easier to secure down the line.
3
10
119
So uhhh if you wanna contribute to some code that has forever and always been MIT licensed.
4
10
117
If you have 32 eth and you aren't running a validator, go run a validator! It's so fun seeing number go up. I'm using eth-docker and it's been flawless so far.
8
14
120