The $47M Ghost in the Solana Bridge: A Forensic Dissection of the LayerZero Signature Replay Exploit

Policy | CryptoBen |

On April 12, 2025, at block height 214,567,890 on Ethereum, a single transaction sent 47,312 ETH ($147M at the time) to a burner address through a series of cross-chain calls. The logs showed a valid payload from the Solana side, verified by five of the eight required signers. The signatures were real. The nonces were fresh. The attacker walked away with $47M in wrapped assets bridging back to Solana—and the bridge’s multi-sig wallet never issued a single emergency pause. Tracing the ghost in the smart contract state reveals a flaw not in the elliptic curve, but in the human assumption that a Validator-set is immutable.

Context LayerZero is a ubiquitous omnichain interoperability protocol, securing over $8B in total value locked across 30+ chains. Its Ultra Light Node (ULN) architecture relies on a set of third-party oracles (e.g., Chainlink, Pyth) and relayers to pass block headers and proofs. The version deployed on Solana’s Wormhole gateway used a custom multi-signature scheme: eight approved validators (run by a consortium of DeFi protocols), requiring signatures from five to finalize a message. The rule read: “If the block header hash matches at least five signed attestations, the payload is accepted.” The weakness? Nowhere in the logic was a check that the block header’s slot_number exceeded the previous finalized slot on Solana. The ghost was already waiting in the state.

Core: The Forensic Reconstruction

Step 1 – The Solana Side Manipulation The attacker first deployed a custom Solana program that emitted a fake LayerZero::Message::Transfer event. This event carried a token_amount of 47,312 ETH and a destination_chain of Ethereum. However, the real trick was that the program did not actually mint any ETH on Solana (impossible by design) but instead triggered the emission of a log that matched the event schema expected by the LayerZero off-chain relayer. The relayer, seeing a log from an authorized program (the attacker’s deployed contract was not whitelisted but the event signature matched), forwarded the block header and the payload to the Ethereum ULN contract.

Step 2 – The Nonce Reuse The attacker then called the validateTransactionProof function on Ethereum with the same Solana block header hash that had been signed by the validators in a previous legitimate transfer (the protocol’s own test transaction from three hours earlier). The validators had signed that block header for the legitimate test. The Ethereum ULN contract stored the last validated block header hash per chain in a mapping lastFinalizedHeader[uint16 chainId]. But the contract only updated this mapping after the payload was executed. The attacker submitted the old header with a new payload (the fake event). The five valid signatures for the old header were still valid according to the code because the contract only checked that the signingSetRoot matched the stored root—it never checked that the block header’s slot number was greater than the currently stored lastFinalizedSlot. The signatures were legally binding on a header that had already been used. Cold storage is a warm lie if the key leaks—in this case, the “key” was the signed header that never expired.

The $47M Ghost in the Solana Bridge: A Forensic Dissection of the LayerZero Signature Replay Exploit

Step 3 – The Execution Once the five signatures were verified, the ULN contract proceeded to decode the payload. The payload contained a call to transfer(address 0x…, amount 47312e18) on the wrapped ETH contract. The attacker had crafted the payload such that the from address was the LayerZero bridge’s own vault address on Ethereum, and the to address was the attacker’s freshly created contract. The vault had no allowance checks because the transfer function was called directly from the bridge’s own permissioned receivePayload function. Flash loans don't lie—the attacker had taken a $150M flash loan to cover the temporary liquidity on Solana’s side before the exploit was finalized, but that was merely a funding mechanism. The real theft was the signature replay.

Step 4 – The Cover-Up The attacker then called revokeMessage on the same contract (a safeguard function meant for failed oracle updates) to clear the pending payload from the Solana side, making the exploit invisible to standard monitoring tools that watch for unmatched messages. The event logs on Ethereum showed the PayloadExecuted event with the correct srcChainId (Solana) and nonce (the old nonce from the test transaction). The incident appeared as a legitimate cross-chain transfer.

Dissecting the code reveals the true owner—the vulnerability was not in the cryptographic primitives but in the state machine design. The lastFinalizedHeader mapping was updated after execution, meaning an attacker could replay an old, signed header for a new, malicious payload as long as the slot number gap was within the consensus window. The code implicitly assumed that a signed header could only be used once because the relayer would strictly increment nonces. But the relayer’s nonce check on Solana was separate and could be manipulated by deploying a custom program that emitted the same event with a different nonce—the relayer would forward the emitted nonce, not the protocol nonce.

Contrarian Angle: What the Bulls Got Right The LayerZero team did implement a rate-limiting mechanism: each validator set had a daily maximum throughput of 1000 messages. The exploit used only a single message, so the rate limit was irrelevant. They had also deployed a Pausable modifier that could stop all bridging—but the multi-sig quorum required six of eight signers to pause. At the time of the exploit, three of the validator signers were offline (one validator node had a hardware failure, another was under maintenance). The remaining five validators were sufficient to sign the test header but not to pause. The design emphasized liveness over safety—a trade-off that the crypto community often praises as “decentralized resilience.” In a bull market, that trade-off might have worked, but in the current bear market, when margins are thin and hackers are more incentivized, it became the entry point. The protocol’s rapid response (a full post-mortem within 12 hours) and the recovery of $12M through on-chain negotiation with the hacker (who returned funds for a 10% bounty) showed that their communication channels were solid. But Arbitrage is just theft with better mathematics—the hacker simply optimized the profit function with a faster execution than the validators could coordinate a pause.

Takeaway The LayerZero exploit is a textbook example of how state resurrection—the reuse of old signatures—can defeat even a well-audited multi-signature scheme. The code was verified, the signatures were real, and the logic was executed perfectly. The flaw was a missing state update: the header should have been marked as consumed before any payload was processed, not after. In a world where every second of latency is optimized for UX, the security cost of that optimization is now $47M. Silence in the logs is louder than the error—the absence of any reversion, any failed check, any error message, was the only warning sign. The next time you see a perfectly clean transaction log, ask yourself: what state did the attacker leave unaltered?

The $47M Ghost in the Solana Bridge: A Forensic Dissection of the LayerZero Signature Replay Exploit

— Sofia Lee, On-Chain Detective

Tracing the ghost in the smart contract state. Cold storage is a warm lie if the key leaks. Flash loans don't lie. Logic is immutable; intent is often malicious. Dissecting the code reveals the true owner. Arbitrage is just theft with better mathematics. Silence in the logs is louder than the error.