Critical $5 Million Security Flaw in Aptos Wormhole Bridge - Certik
05/14/2024 17:00CertiK secured Aptos' Wormhole bridge, preventing a potential $5M loss by fixing a critical security flaw.
CertiK discovered and patched a major security flaw in the Wormhole bridge on the Aptos network, potentially saving $5 million.
This vulnerability could have let an attacker create fake token transfers, but CertiK’s swift action secured users’ funds.
Aptos’ Wormhole Bridge $5M Security Flaw Discovered
CertiK found the flaw in the Wormhole bridge on Aptos and reported it to the Wormhole team. The problem stemmed from incorrectly implementing the MOVE programming language’s ‘public(friend)’ and ‘entry’ modifiers.
The ‘public(friend)’ modifier allows functions to be called by others within the same module or by specified external accounts. In contrast, the ‘entry’ modifier allows any external account to call a function.
The bridge had a function called ‘publish_event,’ meant to announce events like token transfers. This function should only have been callable by other functions within the same module or certain specified external entities. However, the function was modified by both ‘public(friend)’ and ‘entry,’ making it possible for anyone to call ‘publish_event,’ even if they were not approved.
This flaw could have let an attacker create fake transactions, appearing to move tokens from one account to another without moving actual tokens. These fake events could have caused the Ethereum version of the bridge to mint or unlock tokens without real deposits backing them on the Aptos side, potentially draining up to $5 million.
CertiK’s Rapid Action to Patch and Secure the Wormhole Bridge
After discovering the flaw, CertiK immediately informed the Wormhole team on December 5, 2023. The team developed and tested a patch to close the security loophole. They informed the protocol’s Guardians, who approved the patch through a multi-signature vote. The protocol’s Aptos contract was then upgraded, securing the bridge. This process took approximately three hours.
Read more: Crypto Scam Projects: How To Spot Fake Tokens
Besides removing the ‘entry’ keyword from the publish_event function, the new patch also restricted the ‘governor rate limits’ on Aptos from $5 million to $1 million. This strategic move aimed to limit potential losses from future exploits. CertiK noted that current usage is below $1 million daily, so the rate limit should not affect most users.
“This case study not only underscores the critical role of proactive security practices but also celebrates the power of open source software in raising security and transparency standards across the Web3 world,” CertiK added.
Wormhole also conducted a retrospective analysis to check if the issue affected any user funds. The study confirmed no funds were illicitly transferred, and users’ balances remained safe.
This isn’t the first time Wormhole has faced security challenges. In 2022, the bridge lost over $321 million due to a bug in the Solana part of the bridge, allowing an attacker to mint unbacked tokens. Despite this setback, Wormhole improved its security practices and reclaimed $1 billion in total value locked.
Trusted
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.