Skip to content

The repository contains a runnable POC for uninitialized wormhole implementation contract

Notifications You must be signed in to change notification settings

immunefi-team/wormhole-uninitialized

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This project demonstrates a PoC for the Wormhole uninitialized implementation contract vulnerability

Wormhome last upgraded their implementation contract submitContractUpgrade() at tx hash: https://etherscan.io/tx/0xd45111d7c22a4ba4a1cd110c8224859000fcb0cd5cefd02bd40434ac42a07be6 at blockNumber: 13818843

export ALCHEMY_API=https://eth-mainnet.alchemyapi.io/v2/[API_KEY]
npm i
npx hardhat run poc.js

terminal

Wormhole initialized the implementation initialize() at tx hash: https://etherscan.io/tx/0x9acb2b580aba4f5be75366255800df5f62ede576619cb5ce638cedc61273a50f at blockNumber: 14269474

It was recorded that $1.8 billion worth of assets residing in the contract at the time of submission.

Hacker could have held the entire protocol ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever.

About

The repository contains a runnable POC for uninitialized wormhole implementation contract

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published