CertiK found a $5M security flaw in Wormhole Bridge on Aptos

CertiK found a $5M security flaw in Wormhole Bridge on Aptos


A security flaw in the Wormhole Bridge on the Aptos network could have cost $5 million if not discovered, according to a social media post from blockchain security platform CertiK. He said he discovered the bug before the forum went down and reported it to the Wormhole team. The flaw has been fixed, and the bridge is no longer vulnerable.

Source: CertiK.

Aptos is a blockchain network that uses the MOVE programming language originally developed by Facebook for the Libra project. Proponents of MOVE claim that it is a more secure language for writing smart contracts compared to Ethereum Solidity or other alternatives.

Certike's report is posted in video form. The error was “caused by an incorrect implementation of the “public (friend)” and “entry” modifiers in the MOVE programming language,” he said. The ‘public(friend)' switch allows a function to be called by other functions in a module or by external tags defined in the “friends list”, but not by other callers. On the other hand, the ‘input' switch specifies that a function can be called by any external identifier.

The bridge contains a function called ‘publish_event' which is used to announce events such as token transfers. It should only be called by other functions in the same module or by certain “defined external entities”. But in the version of the bridge that Certike studied, the function was fixed to both ‘public(friend)' and ‘login'. This allowed anyone to call ‘publish_event', even if they were not authorized callers.

bybit

Because of this flaw, an attacker could create fake transactions that appear to move from one account to another, even though no actual tokens are being moved. These “events” could have caused the Ethereum version of the bridge to mine or unlock tokens without any real deposits on the part of Aptos. As a result, the attacker could have siphoned up to $5 million from the bridge, CertiK said.

CertiK notified Wormhole team members of the flaw on December 5, 2023. After examining the report, the team developed and tested a patch to close the security hole and reported the issue to the protocol's guardians. In a multi-signature vote, the custodians allowed the patch to be implemented, and the protocol's Aptos contract was updated to implement the new code. Once the bug was reported, the fix process took about three hours, and the new version of the bridge is not vulnerable to this exploit.

a76a62fe 5905 45d3 9186 6ee05f0014c9
Wormhole Aptos Exploits Timeline Source: CertiK.

In addition to removing the ‘input' keyword from the publish_event function, the new patch also limits the value of the “buyer rate limit” on Aptos from $5 million to $1 million, effectively preventing withdrawals of more than $1 million per day. This was done to limit losses in case of future exploitation. Current usage is less than $1 million per day, CertiK says, which means the price cap shouldn't affect many users.

The wormhole performed “retrospective analysis” to determine if any user funds were affected by the issue. They concluded that no money was transferred illegally and the users' balances were safe.

Wormholes are not always able to catch security flaws before they are exploited. In the year It lost more than $321 million in 2022 when a bug on the Solana section of the bridge allowed an attacker to create unsupported signals. However, the team later fixed the bug and compensated users. In January, the wormhole regained $1 billion in total value locked for the first time since the incident, indicating that some users feel its security measures have improved.

RELATED: Mistakes With The Gaines Network Fork Allow Traders To Profit 900% On Every Trade: Report

Leave a Reply

Pin It on Pinterest