A recent social media post from CertiK, a blockchain security platform, revealed that a security flaw in the Wormhole bridge on the Aptos network could have led to losses of $5 million if it had not been detected. CertiK claimed that they discovered the bug and promptly reported it to the Wormhole team before any exploitation occurred. The flaw has since been fixed, and the bridge is now secure.
Aptos is a blockchain network that utilizes the MOVE programming language, originally developed by Facebook for the Libra project. MOVE proponents argue that it is a safer language for writing smart contracts compared to Ethereum’s Solidity or other alternatives.
CertiK’s report, presented in video format, explained that the flaw stemmed from an incorrect implementation of the “public(friend)” and “entry” modifiers in the MOVE programming language. The “public(friend)” modifier allows a function to be called by other functions within the same module or by external accounts specified on a “friends list,” but not by other callers. Conversely, the “entry” modifier specifies that a function can be called by any external account.
Within the bridge, there was a function called “publish_event,” used for announcing events like token transfers. It was meant to be callable only by other functions within the same module or specific external entities. However, in the version examined by CertiK, the function was modified with both “public(friend)” and “entry” modifiers, enabling anyone to call “publish_event” regardless of their approval status.
Exploiting this flaw, an attacker could have created fake transactions that appeared to transfer tokens between accounts, even though no actual tokens were being moved. These “events” could have caused the Ethereum version of the bridge to mint or unlock tokens without any legitimate deposits from the Aptos side. Consequently, the attacker could have drained up to $5 million from the bridge.
CertiK notified the Wormhole team of the flaw on December 5, 2023. After investigating the report, the team developed and tested a patch to address the security loophole. They then informed the protocol’s Guardians about the issue, who approved the implementation of the patch through a multisignature vote. The Aptos contract was subsequently upgraded with the new code. The entire process of fixing the flaw took approximately three hours, rendering the new version of the bridge immune to this particular exploit.
The patch not only removed the “entry” keyword from the “publish_event” function but also limited the value of the “governor rate limits” on Aptos from $5 million to $1 million. This change effectively prevented withdrawals from Aptos exceeding $1 million per day, reducing potential losses in case of future exploits. CertiK asserted that current usage remains below $1 million per day, indicating that the rate limit should not affect most users.
In response to this incident, Wormhole conducted a retrospective analysis to determine if any user funds had been impacted. They concluded that no illicit transfers had occurred, and users’ balances remained secure.
It is worth noting that Wormhole has not always been successful in identifying security flaws before they are exploited. In 2022, the platform suffered losses of over $321 million due to a bug in the Solana part of the bridge, which allowed an attacker to mint unsupported tokens. However, the team swiftly patched the bug and compensated affected users. In January, Wormhole managed to reclaim $1 billion in total value locked for the first time since the incident, indicating that some users have regained confidence in its security practices.
Relatedly, a recent report highlighted bugs in the Gains Network fork that enabled traders to profit by 900% on each trade.