Home CryptocurrencyBitcoin CertiK Discovered $5 Million Safety Flaw on Wormhole Bridge in Aptos

CertiK Discovered $5 Million Safety Flaw on Wormhole Bridge in Aptos

by SuperiorInvest

A security flaw in the Wormhole Bridge on the Aptos network could have resulted in $5 million in losses if it had not been discovered, according to a social media post by blockchain security platform CertiK. The platform claimed to have discovered the bug and reported it to the Wormhole team before it could be removed. The fault has been repaired and the bridge is no longer vulnerable.

Fountain: CertiK.

Aptos is a blockchain network that uses the MOVE programming language, originally developed by Facebook for the Libra project. Supporters of MOVE claim that it is a more secure language for writing smart contracts compared to Ethereum's Solidity or other alternatives.

The CertiK report was published in video form. He stated that the flaw “arised from an incorrect implementation of the 'public (friend)' and 'input' modifiers in the MOVE programming language.” The 'public(friend)' modifier allows other functions within the same module or external accounts specified in a “friend list” to call a function, but not other callers. On the other hand, the 'input' modifier specifies that any external account can call a function.

The bridge contained a function called 'publish_event', which was used to announce events such as token transfers. It was supposed to only be called by other functions within the same module or by certain “specified external entities”. However, in the version of the bridge that CertiK studied, the function was modified to both “public (friend)” and “input.” This made it possible for anyone to call 'publish_event', even if they were not an authorized caller.

Because of this flaw, an attacker could have created fake transactions that appeared to move tokens from one account to another, even though no actual tokens were being moved. These “events” could have caused the Ethereum version of the bridge to mint or unlock tokens without having any actual deposits supporting them on the Aptos side. As a result, the attacker could have drained up to $5 million in funds from the bridge, CertiK claimed.

CertiK informed members of the Wormhole team about the flaw on December 5, 2023. After investigating the report, the team developed and tested a patch to close the security gap and informed the Protocol Guardians about the issue. Through a multi-signature vote, the Guardians approved the implementation of the patch and the protocol's Aptos contract was updated to implement the new code. Once the bug was reported, the repair process took approximately three hours and the new version of the bridge is no longer vulnerable to this exploit.

Wormhole Aptos blows up the timeline. Source: CertiK.

In addition to removing the 'entry' keyword from the publish_event function, the new patch also restricted the value of “governor's rate caps” in Aptos from $5 million to $1 million, effectively preventing Aptos withdrawals of more than $1 million per day. This was done to limit losses in case of a future exploit. Current usage is less than $1 million per day, CertiK said, meaning the rate cap should not affect most users.

Wormhole also performed a “retrospective analysis” to determine if any user's funds had been affected by the issue. They concluded that no funds had been transferred illicitly and that users' balances were safe.

Wormhole has not always been able to detect security flaws before they are exploited. In 2022, it lost more than $321 million when a bug in the Solana portion of the bridge allowed an attacker to mint tokens without backing. However, the team later fixed the error and compensated users. In January, Wormhole recovered $1 billion in total locked value for the first time since the incident, showing that some users feel its security practices have improved.

Related: Gains Network Fork Bugs Allow Traders to Make 900% Profits on Every Trade: Report

Source Link

Related Posts