CertiK discovered $5M security flaw in Wormhole bridge on Aptos


A security flaw in the Wormhole bridge on Aptos network could have resulted in $5 million worth of losses had it not been discovered, according to a social media post from blockchain security platform CertiK. The platform claimed to have discovered the bug and reported it to the Wormhole team before it could be expl. The flaw has been patched, and the bridge is no longer vulnerable.

Source: CertiK.

Aptos is a blockchain network that uses the MOVE programming language, which was originally developed by Facebook for the Libra project. Supporters of MOVE claim that it is a safer language to write smart contracts when compared to Ethereum’s Solidity or other alternatives.

The CertiK report was posted in the form of a video. It claimed the flaw “arose from an incorrect implementation of the ‘public(friend)’ and ‘entry’ modifiers in the MOVE programming language.” The ‘public(friend)’ modifier allows a function to be called by other functions within the same module or by external accounts specified on a “friends list,” but not by other callers. On the other hand, the ‘entry’ modifier specifies that a function can be called by any external account.

The bridge contained a function called ‘publish_event,” which was used to announce events such as token transfers. It was only supposed to be callable by other functions within the same module or by certain “specified external entities.” However, in the version of the bridge that CertiK studied, the function was modified by both ‘public(friend)’ and ‘entry.’ This made it possible for anyone to call ‘publish_event,” even if they were not an approved caller.

Because of this flaw, an attacker could have created fake transactions that appeared to move tokens from one account to another, even though no actual tokens were being moved. These “events” could have caused the Ethereum version of the bridge to mint or unlock tokens without having any real deposits backing them on the Aptos side. As a result, the attacker could have drained up to $5 million worth of funds from the bridge, CertiK stated.

CertiK informed members of the Wormhole team about the flaw on Dec 5, 2023. After investigating the report, the team developed and tested a patch to close the security loophole and informed the protocol’s Guardians of the issue. Via a multisignature vote, the Guardians approved the patch to be implemented, and the protocol’s Aptos contract was upgraded to implement the new code. Once the flaw was reported, the process of fixing it took approximately three hours, and the new version of the bridge is no longer vulnerable to this exploit.

Wormhole Aptos exploit timeline. Source: CertiK.

In addition to removing the ‘entry’ keyword from the publish_event function, the new patch also restricted the value of the “governor rate limits” on Aptos from $5 million to $1 million, effectively preventing withdrawals from Aptos of greater than $1 million per day. This was done to limit losses in case of a future exploit. Current usage is below $1 million per day, CertiK claimed, implying that the rate limit shouldn’t affect most users.

Wormhole also performed a “retrospective analysis” to determine whether any user funds had been affected by the issue. They concluded that no funds had been illicitly transferred and that users’ balances were safe.

Wormhole hasn’t always managed to catch security flaws before they are exploited. In 2022, it lost more than $321 million when a bug in the Solana part of the bridge allowed an attacker to mint unbacked tokens. However, the team later patched the bug and compensated users. In January, Wormhole reclaimed $1 billion in total value locked for the first time since the incident, showing that some users feel its security practices have improved.

Related: Bugs in Gains Network fork let traders profit 900% on every trade: Report