CertiK discovered a $5 million security flaw in Aptos’ Wormhole bridge.
A security flaw in the Aptos network’s wormhole bridge could have resulted in losses worth $5 million if it had not been discovered, according to a social media post from blockchain security platform CertiK. The platform claimed to have discovered the bug and reported it to the Wormhole team before it exploded. The flaw has been patched and the bridge is no longer vulnerable.
Aptos is a blockchain network that uses the MOVE programming language, originally developed by Facebook for the Libra project. MOVE proponents argue that it is a more secure language to write smart contracts in compared to Solidity on Ethereum or other alternatives.
The CertiK report has been published in video format. The flaw was claimed to be “caused by incorrect implementation of the ‘public(friend)’ and ‘entry’ modifiers in the MOVE programming language.” The ‘public(friend)’ modifier allows the function to be called by other functions within the same module or by external accounts specified in the “friend list”, but not by other callers. On the other hand, the ‘entry’ modifier specifies that the function can be called from external accounts.
The bridge includes a function called ‘publish_event’, which is used to notify events such as token transfers. It had to be callable only by other functions within the same module or by specific “specified external entities”. However, in the version of the bridge studied by CertiK, the functionality was modified by both ‘public(friend)’ and ‘entry’. This allows anyone to call ‘publish_event’ even if they are not an authorized caller.
The flaw allowed attackers to create fake transactions that appeared to move tokens from one account to another, even though no actual tokens were moved. These “events” allowed the Ethereum version of the bridge to mint or unlock tokens without supporting physical deposits on the Aptos side. As a result, the attackers were able to extort up to $5 million worth of funds from the bridge, CertiK said.
CertiK notified Wormhole team members about the flaw on December 5, 2023. After investigating the report, the team developed and tested a patch to close the security hole and notified the Protocol’s Guardians of the problem. Through a multi-signature vote, the Guardians approved the implementation of the patch, and the protocol’s Aptos contract was upgraded to implement the new code. It took about three hours to fix the flaw after it was reported, and the new version of the bridge is no longer vulnerable to this exploit.
In addition to removing the ‘entry’ keyword from the post_event function, the new patch also capped Aptos’ “governor rate limit” value from $5 million to $1 million, effectively preventing withdrawals of more than $1 million per day from Aptos. This was done to limit losses against future exploits. CertiK claimed that current usage is less than $1 million per day, meaning speed limits shouldn’t affect most users.
Wormhole also performed a “retrospective analysis” to determine whether user funds were affected by the issue. They concluded that no funds had been transferred illegally and that users’ balances were safe.
Wormholes don’t always catch security flaws before they can be exploited. In 2022, a bug in the Solana portion of the bridge allowed attackers to issue unsupported tokens, causing losses of over $321 million. However, the team later patched the bug and compensated users. In January, Wormhole recovered $1 billion in total value locked for the first time since the incident, showing that some users feel security practices have improved.
Related: Bug in Gains Network Fork Allows Traders to Earn 900% Profits on Every Trade: Report