SUB003
Wormhole Bridge Finality Race
Message credited on target chain before source chain finalises — reorg window exploitable.
HIGH COLD FRONT Wormhole · $2.5M ← SSAF
N6 Kill Chain
✓ Q1 Direct
PASS
✓ Q2 Contract
PASS
✓ Q3 Prod
PASS
✓ Q4 Material
PASS
✓ Q5 Novel
PASS
✓ Q6 Welical
PASS
VECTOR
IMPACT
PoC
DETECT
FINDINGS
Attack Vector
Wormhole VAAs submitted before source chain finality, enabling double-spend via chain reorg.
Kill Chain
1Submit bridge tx on source chain.
2Guardians sign VAA before finality.
3Source chain reorgs — tx rolled back.
4VAA already submitted on destination — double spend.
Impact HIGH
Double-spend via reorg + pre-finality VAA. Polygon/BSC have reorg history at relevant depths. Each successful attack steals full bridge amount.
Severity
HIGH — probabilistic but confirmed reorg risk on Polygon/BSC.
Proof of Concept
1On Polygon: submit large bridge tx.
2Extract VAA immediately after guardian signing.
3Submit VAA to destination chain.
4Trigger Polygon reorg. Source rolled back. Destination credited.
Caveat
Reorg feasibility probabilistic — exact attack cost unknown without current validator set analysis.
Detection Signals
Monitor time-delta between source tx and VAA guardian signature.
Alert if VAA signed before canonical finality depth.
Track reorg events vs pending VAA queue.
Findings
NP-SUB003-001 HIGH Guardian finality assumptions differ by chain.
NP-SUB003-002 STRONG Polygon/BSC reorg history confirmed.
NP-SUB003-003 OPEN Requires chain reorg — probabilistic.
Sorry
Reorg feasibility probabilistic — exact attack cost unknown without current validator set analysis.
🍀 HIGH · N6 ALL PASS · PENDING CLO
γ₁ = 14.134725141734693