A proper ELI5 on the Wormhole ETH hack

So, the other day there was an ELI5 here about the recent Wormhole hack. That post was completely wrong, however. Here's my take on a proper one.

So, how did the hack happen?

Lets use a traditional bank to represent Wormhole, and imagine that you are the hacker trying to steal money from the bank. The money here represents the ETH stolen in the Wormhole hack.

So, imagine the following. One day you wake up, and for some reason, you want to steal money from a really rich person's bank account. So, off to the bank you go. Arriving at the bank, you show your ID to the teller, and tell them pretty please, give me the money. The teller checks your ID, and of course goes, no ser, no money for you, this isn't your account!

Okay, so then you think, how about maybe using a fake ID? But nah, this teller is superhumanly good at spotting fakes, so that's a no go. Then, after poking around a bit, you discover something really odd. Because it turns out that this bank has a really bad rule: they allow you to bring your own teller to verify transactions!

So you call up your friend and go, hey, wanna make a quick buck? Your friend goes, sure, and again you walk into the bank, like the last time. But this time instead you say, hey, I want to withdraw some money, and this is the teller I want to use. According to the rules, that's perfectly fine, so your friend jumps behind the counter. You proceed to give her your ID, and she happily confirms that, yes ser, indeed, this is all legit and here's your money!

Mission accomplished, lambo secured.

And so that's how this all went down. The attacker was able to exploit a bug in the smart contract on the Solana side of Wormhole. And this bug allowed them to trick the contract into verifying an invalid transaction to steal all that ETH (just like the bug in the rules of the bank allowed you to bring your own teller.)