Attacker exploited a signature verification bypass in Wormhole's Solana contract to mint 120,000 wETH without backing.
The attacker found a vulnerability in Wormhole's Solana contract that allowed bypassing signature verification. By exploiting a legacy 'verify_signatures' function that was not properly deprecated, they crafted a spoofed VAA (Verified Action Approval) to mint 120,000 wETH on Solana. They then bridged 93,750 wETH to Ethereum.
Stolen ETH largely held in the attacker's wallet for months. Some converted to SOL through Jupiter aggregator. Eventually linked to Jump Crypto, which replenished the 120,000 ETH to make users whole. Attacker's identity unknown. Funds moved to various DeFi protocols.
3XMrhbv989VxAMi3DErLV9eJht1QTVQiJBnEGzmcwgAF8onGKnYKkA5xGEyVdGiGMNKJGCPeGFpEJnMpuRyBZT3