Trusted

Critical $5 Million Security Flaw in Aptos Wormhole Bridge – Certik

2 mins
Updated by Ryan Boltman
Join our Trading Community on Telegram

In Brief

  • CertiK discovered and patched a $5 million security flaw in Aptos' Wormhole bridge.
  • The flaw allowed anyone to call the 'publish_event' function, potentially enabling fake transactions.
  • CertiK swiftly informed the Wormhole team, who developed and implemented a patch within three hours, securing the bridge.
  • promo

CertiK discovered and patched a major security flaw in the Wormhole bridge on the Aptos network, potentially saving $5 million.

This vulnerability could have let an attacker create fake token transfers, but CertiK’s swift action secured users’ funds.

Aptos’ Wormhole Bridge $5M Security Flaw Discovered

CertiK found the flaw in the Wormhole bridge on Aptos and reported it to the Wormhole team. The problem stemmed from incorrectly implementing the MOVE programming language’s ‘public(friend)’ and ‘entry’ modifiers.

The ‘public(friend)’ modifier allows functions to be called by others within the same module or by specified external accounts. In contrast, the ‘entry’ modifier allows any external account to call a function.

The bridge had a function called ‘publish_event,’ meant to announce events like token transfers. This function should only have been callable by other functions within the same module or certain specified external entities. However, the function was modified by both ‘public(friend)’ and ‘entry,’ making it possible for anyone to call ‘publish_event,’ even if they were not approved.

This flaw could have let an attacker create fake transactions, appearing to move tokens from one account to another without moving actual tokens. These fake events could have caused the Ethereum version of the bridge to mint or unlock tokens without real deposits backing them on the Aptos side, potentially draining up to $5 million.

CertiK’s Rapid Action to Patch and Secure the Wormhole Bridge

After discovering the flaw, CertiK immediately informed the Wormhole team on December 5, 2023. The team developed and tested a patch to close the security loophole. They informed the protocol’s Guardians, who approved the patch through a multi-signature vote. The protocol’s Aptos contract was then upgraded, securing the bridge. This process took approximately three hours.

Read more: Crypto Scam Projects: How To Spot Fake Tokens

Besides removing the ‘entry’ keyword from the publish_event function, the new patch also restricted the ‘governor rate limits’ on Aptos from $5 million to $1 million. This strategic move aimed to limit potential losses from future exploits. CertiK noted that current usage is below $1 million daily, so the rate limit should not affect most users.

“This case study not only underscores the critical role of proactive security practices but also celebrates the power of open source software in raising security and transparency standards across the Web3 world,” CertiK added.

Wormhole also conducted a retrospective analysis to check if the issue affected any user funds. The study confirmed no funds were illicitly transferred, and users’ balances remained safe.

This isn’t the first time Wormhole has faced security challenges. In 2022, the bridge lost over $321 million due to a bug in the Solana part of the bridge, allowing an attacker to mint unbacked tokens. Despite this setback, Wormhole improved its security practices and reclaimed $1 billion in total value locked.

Top crypto projects in the US | November 2024
Coinbase Coinbase Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
3Commas 3Commas Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | November 2024
Coinbase Coinbase Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
3Commas 3Commas Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | November 2024

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

da475f486647738b39c0c88a3e7d115d.jpg
Shota Oba
After interning at a domestic blockchain media company while enrolled at a university in international relations, he worked as an intern trainee at two foreign crypto asset exchanges. Currently, as a journalist, he focuses on the Japanese crypto asset market, both technical and fundamental analysis. He has been trading crypto assets since 2021 and is interested in economic and social affairs.
READ FULL BIO
Sponsored
Sponsored