Aptos’ Wormhole Bridge Security Flaw Discovered: CertiK Saves $5M
CertiK recently discovered and promptly patched a significant security flaw in the Wormhole bridge on the Aptos network, potentially preventing a loss of $5 million. This flaw could have led to the creation of fake token transfers, jeopardizing users’ funds. Here’s how the incident unfolded:
CertiK Unearths Vulnerability in Aptos’ Wormhole Bridge
- CertiK identified an issue in the Wormhole bridge on the Aptos network and promptly reported it to the Wormhole team.
- The problem stemmed from the improper implementation of the ‘public(friend)’ and ‘entry’ modifiers in the MOVE programming language.
The Flaw in the Bridge Functionality
- The ‘public(friend)’ modifier allows functions to be accessed by others within the same module or specified external accounts.
- In contrast, the ‘entry’ modifier permits any external account to call a function.
- A function called ‘publish_event’ on the bridge, meant to announce events like token transfers, was incorrectly modified with both ‘public(friend)’ and ‘entry’ modifiers.
Potential Risks and Consequences
- The vulnerability could have enabled an attacker to initiate fake transactions, creating an illusion of token movements without any actual transfer.
- These fictitious events could have led to the minting or unlocking of tokens on the Ethereum side of the bridge without corresponding deposits on the Aptos side, potentially resulting in losses of up to $5 million.
CertiK’s Swift Response to Secure the Wormhole Bridge
- Upon discovering the flaw, CertiK promptly notified the Wormhole team on December 5, 2023.
- The team quickly developed and tested a patch to address the security vulnerability.
- After approval by the protocol’s Guardians through a multi-signature vote, the Aptos contract was upgraded to implement the necessary security measures, securing the bridge within a span of approximately three hours.
Patch Implementation and Mitigation Measures
- Apart from removing the ‘entry’ keyword from the ‘publish_event’ function, the patch also reduced the ‘governor rate limits’ on Aptos from $5 million to $1 million.
- This adjustment aimed to limit potential losses from any future exploits, considering the current daily usage is below $1 million, thereby minimizing the impact on most users.
“This case study not only highlights the importance of proactive security measures but also showcases the impact of open-source software in enhancing security and transparency standards within the Web3 ecosystem,” CertiK emphasized.
Post-Patch Analysis and User Fund Confirmation
- Subsequent to the security fix, Wormhole conducted a retrospective analysis to ensure the safety of user funds.
- The analysis reaffirmed that no unauthorized fund transfers occurred, and users’ account balances remained intact and secure.
Security Evolution: Wormhole’s Past and Future
- This incident is not the first security challenge that Wormhole has faced. In a previous case in 2022, the bridge encountered a bug in the Solana segment, resulting in a loss of over $321 million.
- Despite the setback, Wormhole has made significant strides in enhancing its security practices and has successfully recovered $1 billion in total locked value.
By
By
By