CertiK Thwarts $5M Security Flaw in Wormhole Bridge on Aptos Network
Summary:
Blockchain security company CertiK discovered and addressed a potentially damaging $5 million security flaw within the Wormhole bridge on the Aptos network. The bug, linked to the MOVE programming language, was reportedly patched before any damage occurred. In response, the daily withdrawal limit from Aptos was reduced to $1 million to prevent substantial losses in the event of future security lapses. The company undertook a "look-back analysis" to verify users' balances, concluding no funds had been illicitly transferred. Despite previous glitches, Wormhole has regained user trust, reclaiming a total value locked of $1 billion.
A security deficiency within the Wormhole bridge on the Aptos network had the potential to lead to a whopping loss of $5 million if it hadn't been detected, as revealed by a post on social media from blockchain security provider CertiK. The company claims to have recognized and reported the malfunction to Wormhole's team before disaster could strike. The bug has since been rectified, ensuring the bridge is no longer susceptible.
Aptos is a blockchain network utilizing the MOVE programming language, first crafted by Facebook for their Libra project. Advocates for MOVE argue that it provides a more secure format for crafting smart contracts in comparison to Ethereum’s Solidity or other alternatives.
CertiK presented their report in a video format. According to them, the malfunction originated from an incorrect assimilation of the 'public(friend)' and 'entry' modifiers within the MOVE programming language. The former modifier permits a function to be invoked by others within the identical module or by external accounts listed as “friends,” but not others. In contrast, the 'entry' modifier indicates that a function may be invoked by any external account.
The bridge incorporated a function named 'publish_event,” used to declare occurrences like token transfers. This function was exclusively meant to be invoked by other modules within the same function or by “specified external entities”. However, in CertiK's analysis of the bridge, the function was modified by both 'public(friend)' and 'entry'. Consequently, anyone, even unapproved callers, could trigger 'publish_event”.
Thanks to this malfunction, an assailant might have fabricated fictitious transactions that give the illusion of tokens being transferred from one account to another without any actual tokens moving. These artificial 'events' could have caused the Ethereum version of the bridge to create or unblock tokens without any genuine deposits supporting them on the Aptos side. CertiK claimed this situation could have lead to an attacker draining up to $5 million from the bridge.
The Wormhole team was notified of the malfunction by CertiK on December 5, 2023. After inspecting the report, the team devised and evaluated a patch to address the security gap. The protocol’s Guardians were also apprised of the issue. Following a multisignature vote, the Guardians sanctioned the patch's application, and the protocol’s Aptos contract was upgraded with the new code. Post the malfunction report, the fix took nearly three hours, and the new bridge version is safe from this vulnerability.
A critical change associated with the new patch was the removal of the 'entry' keyword from the publish_event function. The updated patch likewise downgraded the "governor rate limits" on Aptos from $5 million to $1 million this significantly curbs Aptos withdrawals to a maximum of $321 million per day. This measure helps avert potential substantial losses should another malfunction occur. CertiK added that daily use is currently less than $1 million, suggesting this cap shouldn't disrupt most users.
Wormhole also undertook a "look-back analysis" to ascertain whether the malfunction had any influence on user funds. Their conclusion was that no funds were illegitimately transferred, verifying user balances were secure.
Wormhole has previously missed timely detection of security lapses. In 2022, it suffered a loss over $321 million when a glitch in the Solana piece of the bridge enabled an attacker to produce unsupported tokens. However, this bug was rectified later, and users were compensated. By January, Wormhole had regained $1 billion in total locked value, suggesting some users trust its enhanced security measures.
Published At
5/13/2024 10:46:01 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.