CertiK discovered and patched a major security flaw in the Aptos network’s Wormhole bridge, potentially saving $5 million.
The vulnerability allowed attackers to create fake token transfers, but CertiK’s quick action ensured that users’ funds were protected.
Aptos’ Wormhole Bridge $5 million security flaw discovered
CertiK discovered a flaw in Aptos’ Wormhole bridge and reported it to the Wormhole team. The issue was caused by incorrect implementation of the ‘public(friend)’ and ‘entry’ qualifiers in the MOVE programming language.
The ‘public(friend)’ modifier allows the function to be called by other people within the same module or by a specified external account. In contrast, the ‘entry’ modifier allows any external account to call the function.
The bridge had a function called ‘publish_event’ that notified events such as token transfers. This function must be callable only by other functions within the same module or by a specific specified external entity. However, the function has been modified by both ‘public(friend)’ and ‘entry’ to allow anyone to call ‘publish_event’ even if they are not authorized to do so.
This flaw allows an attacker to create fake transactions that appear to move tokens from one account to another without actually moving tokens. These fake events resulted in the Ethereum version of the bridge issuing or unlocking tokens without supporting real deposits on the Aptos side, potentially resulting in losses of up to $5 million.
CertiK’s rapid action to patch and secure wormhole bridges
After discovering the flaw, CertiK immediately notified the Wormhole team on December 5, 2023. The team developed and tested a patch to close the security hole. They notified the Guardians of the protocol, who approved the patch through a multi-signature vote. The protocol’s Aptos contract was then upgraded to secure the bridge. This process took approximately 3 hours.
Read more: Crypto Scam Project: How to Spot Fake Tokens
In addition to removing the ‘entry’ keyword from the post_event function, the new patch also limits Aptos’ ‘governor rate limit’ from $5 million to $1 million. This strategic move was aimed at limiting potential losses from future exploits. CertiK noted that current usage is less than $1 million per day, so rate caps shouldn’t affect most users.
“This case study not only highlights the critical role of proactive security practices, but also celebrates the power of open source software to raise security and transparency standards across the Web3 world.” CertiK Added.
Wormhole also performed a retrospective analysis to determine whether the issue affected user funds. Research has confirmed that no funds have been transferred illegally and that users’ balances remain safe.
This isn’t the first time wormholes have faced security issues. In 2022, the bridge lost over $321 million due to a bug in the Solana part of the bridge, which allowed attackers to issue unsupported tokens. Despite this setback, Wormhole improved its security practices and recovered $1 billion in total locked value.
disclaimer
In compliance with Trust Project guidelines, BeInCrypto is committed to unbiased and transparent reporting. These news articles aim to provide accurate and timely information. However, before making any decisions based on this content, readers are encouraged to check the facts and consult with experts. Our Terms of Use, Privacy Policy and Disclaimer have been updated.