Skip to content
/ wormhole-uninitialized Public

The repository contains a runnable POC for uninitialized wormhole implementation contract

75 stars 18 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

immunefi-team/wormhole-uninitialized

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
contracts
contracts
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
hardhat.config.js
hardhat.config.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
poc.js
poc.js
 
 

Repository files navigation

This project demonstrates a PoC for the Wormhole uninitialized implementation contract vulnerability

Wormhome last upgraded their implementation contract submitContractUpgrade() at tx hash: https://etherscan.io/tx/0xd45111d7c22a4ba4a1cd110c8224859000fcb0cd5cefd02bd40434ac42a07be6 at blockNumber: 13818843

export ALCHEMY_API=https://eth-mainnet.alchemyapi.io/v2/[API_KEY]
npm i
npx hardhat run poc.js

terminal

Wormhole initialized the implementation initialize() at tx hash: https://etherscan.io/tx/0x9acb2b580aba4f5be75366255800df5f62ede576619cb5ce638cedc61273a50f at blockNumber: 14269474

It was recorded that $1.8 billion worth of assets residing in the contract at the time of submission.

Hacker could have held the entire protocol ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever.

About

The repository contains a runnable POC for uninitialized wormhole implementation contract

Resources

Readme
Activity
Custom properties

Stars

75 stars

Watchers

3 watching

Forks

18 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages