A security flaw in the Wormhole bridge on the Aptos network could have led to losses
A security flaw in the Wormhole bridge on the Aptos network could have resulted in $5 million in losses had it not been discovered, according to a social media post from blockchain security platform CertiK. The platform claimed to have discovered the flaw and reported it to the Wormhole team before it could be explored. The bug has been corrected, and the bridge is no longer vulnerable.
Aptos is a blockchain network that uses the MOVE programming language, which was originally developed by Facebook for the Libra project. Supporters of MOVE claim that it is a safer language for writing smart contracts compared to Ethereum’s Solidity language or other alternatives.
The CertiK report is published in video form. It claimed that the flaw “arised from incorrect implementation of the ‘public (friend)’ and ‘entry’ modifiers in the MOVE programming language.” The “public(friend)” modifier allows the function to be called by other functions within the same module or by external accounts specified in the “Friends List”, but not by other callers. On the other hand, the “input” modifier specifies that the function can be called by any external account.
The bridge contains a function called “publish_event”, which was used to announce events such as token transfers. They were intended to be callable only by other functions within the same module or by certain “specific external entities”. However, in the version of the bridge studied by CertiK, the function is modified by both ‘public(friend)’ and ‘entry’. This allowed anyone to connect to “publish_event”, even if they were not an authenticated caller.
Because of this flaw, it was possible for an attacker to create fake transactions that appeared to transfer tokens from one account to another, even though actual tokens were not transferred. These “events” could have caused the Ethereum version of the bridge to mint or unlock tokens without any real deposits backing them on Aptos’ end. As a result, the attacker could have drained up to $5 million in funds from the bridge, CertiK stated.
CertiK informed members of the Wormhole team about the flaw on December 5, 2023. After investigating the report, the team developed and tested a patch to close the vulnerability and reported the issue to the protocol’s guardians. Through multi-signature voting, the Guardians agreed to implement the patch, and the protocol’s Aptos contract was upgraded to implement the new code. Once the bug was reported, it took about three hours to fix it, and the new version of the bridge is no longer vulnerable to this exploit.
In addition to removing the “enter” keyword from the publish_event function, the new patch also limited the “wallet rate limits” value on Aptos from $5 million to $1 million, effectively preventing Aptos withdrawals in excess of $1 million per day. This was done to limit losses in the event of a future exploit. CertiK claimed current usage is less than $1 million per day, meaning the price cap shouldn’t affect most users.
Wormhole also conducted a “retrospective analysis” to determine whether users’ funds were affected by this issue. They concluded that no funds were transferred illegally and that users’ balances were safe.
Wormholes were not always able to detect vulnerabilities before they were exploited. In 2022, it lost more than $321 million when a bug in the Solana portion of the bridge allowed an attacker to mint unsupported coins. However, the team later corrected the error and compensated users. In January, Wormhole recovered a total of $1 billion locked for the first time since the incident, showing that some users feel its security practices have improved.
Related: Bugs in Gains Network Fork Allow Traders to Make 900% Profits on Every Trade: Report
