Here’s how 98k ETH was stolen on Solana

There has been a lot of confusion however how the Wormhole hack had happened, and exactly whose side is at fault. Unfortunately, there is a lot of misinformation going around, and many people are not technical. I’d like to explain how this works.


ELI5 version:

To create wETH on their chain, Solana checks that there is a valid signature, and that the signature comes from a Guardian.

Proper usage means there is a valid signature (Correct ✅) from a guardian (Correct ✅). These two conditions match, and so request is approved. ✅

They expected an attacker would issue an invalid signature (Incorrect ❌) from a guardian (Correct ✅). These two conditions do not match, so the request is denied. ❌


The hack

The attacker issued an invalid signature (Incorrect ❌) from a non-guardian (Incorrect ❌). But these conditions match: incorrect matches incorrect. So the request is APPROVED ✅(!!) and the ETH was stolen on the Solana network.

The Ethereum network successfully processed a withdraw, because Solana told Ethereum “it’s all good, this is legit”, but Solana’s logic for determining whether it is good was flawed.


For programmers: the check was == instead of &&

[Via]