Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/wormhole-bridge

Name: wormhole-bridge
Author: apegurus

skills/case-studies/wormhole-bridge/SKILL.md

npx skillsauth add apegurus/solidity-argus wormhole-bridge

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Wormhole Bridge (2022)

Overview

In February 2022, the Wormhole bridge was exploited for 120,000 wETH (worth ~$320M) on the Solana side. The attacker was able to bypass the signature verification process and mint wETH without providing any collateral on the Ethereum side.

Root Cause

The vulnerability existed in the Wormhole's Solana program. Specifically, the verify_signatures function used a deprecated Solana system function load_instruction_at to verify the instructions sysvar. The attacker provided a spoofed sysvar account that mimicked the real sysvar but contained fake data, allowing them to bypass the signature check.

Attack Flow

Attacker identified that the verify_signatures function did not properly validate the instructions sysvar account.
Attacker created a malicious account that mimicked the instructions sysvar.
Attacker called post_vaa with the spoofed sysvar, which made the program believe the signatures were valid.
Attacker then called complete_wrapped_eth to mint 120,000 wETH on Solana.
Attacker bridged some of the wETH back to Ethereum and swapped the rest on Solana.

Impact

Loss: ~$320M
Protocol: Wormhole Bridge
Chain: Solana / Ethereum
Date: 2022-02-02

Key Transactions

Solana Attack tx: 2thJ77y986Yfs4S6996Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9 (Example representation)
Mint tx: 399986Yfs4S6996Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9

Detection Heuristics

Pattern 1: Use of load_instruction_at or other deprecated sysvar loading methods in Solana without proper account validation.
Pattern 2: Missing checks to ensure that system accounts (like sysvar::instructions) are actually the official system accounts.

Remediation

Fix 1: Use the modern get_instruction_relative or properly validate the sysvar account address.
Fix 2: Ensure all system accounts passed to the program are checked against their known addresses.

References

rekt.news/wormhole-rekt/
jumpcrypto.com/wormhole-exploit-post-mortem/

apegurus/wormhole-bridge

skills/case-studies/wormhole-bridge/SKILL.md

Case study of the 2022 Wormhole Bridge exploit: missing signature validation draining ~$320M

data-ai

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus wormhole-bridge

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:22 AM214.6s1 file scanned

SKILL.md

name:: wormhole-bridge
description:: Detects usage of deprecated or dangerous instruction loading in Solana programs which can be used to spoof sysvars.
category:: reference
source_url:: https://rekt.news/wormhole-rekt/
source_license:: CC0
imported_at:: 2025-02-20T00:00:00Z
- regex:: load_instruction_at
severity:: High

Wormhole Bridge (2022)

Overview

Root Cause

Attack Flow

Attacker identified that the verify_signatures function did not properly validate the instructions sysvar account.
Attacker created a malicious account that mimicked the instructions sysvar.
Attacker called post_vaa with the spoofed sysvar, which made the program believe the signatures were valid.
Attacker then called complete_wrapped_eth to mint 120,000 wETH on Solana.
Attacker bridged some of the wETH back to Ethereum and swapped the rest on Solana.

Impact

Loss: ~$320M
Protocol: Wormhole Bridge
Chain: Solana / Ethereum
Date: 2022-02-02

Key Transactions

Solana Attack tx: 2thJ77y986Yfs4S6996Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9 (Example representation)
Mint tx: 399986Yfs4S6996Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9

Detection Heuristics

Pattern 1: Use of load_instruction_at or other deprecated sysvar loading methods in Solana without proper account validation.
Pattern 2: Missing checks to ensure that system accounts (like sysvar::instructions) are actually the official system accounts.

Remediation

Fix 1: Use the modern get_instruction_relative or properly validate the sysvar account address.
Fix 2: Ensure all system accounts passed to the program are checked against their known addresses.

References

rekt.news/wormhole-rekt/
jumpcrypto.com/wormhole-exploit-post-mortem/

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/case-studies/wormhole-bridge ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT