CertiK uncovered a security flaw in the Wormhole bridge on the Aptos network potentially risking up to $5 million in damages.
A blockchain security platform, CertiK, released a statement on social media warning that the failure to detect a security issue in the Wormhole bridge on the Aptos network could have led to damages of up to $5 million.
Certik Identifies Security Flaw In Wormhole Bridge
The platform claimed to have identified the flaw and notified the Wormhole team of its discovery. The application of the patch has eliminated the bridge’s vulnerability.
An example of a blockchain network is Aptos, which makes use of the MOVE programming language. Facebook initially developed this language for the Libra project.
Supporters of MOVE argue that it is a more secure language for writing smart contracts than Ethereum’s Solidity or other alternatives. The website hosted the CertiK report as a video.
The problem, according to the report, “arose from an incorrect implementation of the ‘public (friend)’ and ‘entry’ modifiers in the MOVE programming language.”
Other functions within the same module or external accounts listed on a “friends list” can call a function, but other callers cannot. This is because the ‘public(friend)’ modifier specifies that the function is public.
However, the ‘entry’ modifier signifies that any external account can call a function. This is in contrast to the ‘public’ modifier. The bridge also included a function named “publish_event,” which served to announce events like token transfers.
Only other functions within the same module or some “specified external entities” could call it. CertiK’s investigation revealed that both ‘public (friend)’ and ‘entry’ altered the function to call the ‘publish_event’ number.
Because of this vulnerability, an adversary may have produced fraudulent transactions that gave the impression that tokens were being transferred from one account to another, despite the fact that no tokens were actually being transferred.
As a result of these “events,” the Ethereum version of the bridge might have been able to issue or unlock tokens without any actual deposits supporting them on the Aptos side.
As a result, the attacker may have been able to steal up to five million dollars worth of cash from the bridge, according to CertiK. On December 5th, 2023, CertiK informed members of the Wormhole team about the vulnerability.
Following the conclusion of the investigation into the report, the team developed and tested a patch to plug the security loophole. They then informed the guardians of the protocol about the problem.
The Guardians through a vote requiring multiple signatures approved the patch and changed the Aptos contract for the protocol to incorporate the new code making the updated version of the bridge immune to this exploit.
After reporting the problem, the resolution process took around three hours. In addition to deleting the ‘entry’ keyword from the publish_event function, the new patch also reduced the value of the “governor rate limits” on Aptos from $5 million to $1 million.
This effectively prevented withdrawals from Aptos worth more than $1 million over the course of a single day. We implemented this to limit losses in the event of a future exploit.
According to CertiK, the current usage is less than one million dollars per day, which suggests that the rate limit should not have an impact on the majority of customers.
Wormhole also conducted a “retrospective analysis” to determine if the problem had affected any user funds. They arrived at the conclusion that there had been no unauthorized transfer of funds and that the user’s balances were secure.
Identifying security weaknesses in time to prevent their exploitation has not always been successful for Wormhole. In 2022, a fault in the Solana section of the bridge made it possible for an attacker to manufacture unbacked tokens, resulting in a loss of more than $321 million due to the vulnerability.
However, the company eventually fixed the glitch and paid users for their inconvenience. Wormhole successfully regained one billion dollars’ worth of locked total value for the first time since the incident.
This indicator demonstrates that some users believe the company’s security practices have improved.