CertiK, a blockchain security platform, has revealed a security flaw in the Wormhole bridge on the Aptos network that could have led to potential losses of $5 million. The platform discovered the bug and promptly reported it to the Wormhole team before any exploitation could occur. Fortunately, the flaw has been fixed, and the bridge is now secure.
Aptos is a blockchain network that utilizes the MOVE programming language, which was originally developed by Facebook for the Libra project. MOVE supporters argue that it is a safer language for writing smart contracts compared to Ethereum’s Solidity and other alternatives.
CertiK shared a video report explaining that the flaw stemmed from an incorrect implementation of the “public(friend)” and “entry” modifiers in the MOVE programming language. The “public(friend)” modifier allows a function to be called by other functions within the same module or by external accounts specified on a “friends list,” but not by other callers. In contrast, the “entry” modifier specifies that any external account can call a function.
The flaw resided in a function called “publish_event” within the bridge, which was designed to announce events like token transfers. Ideally, this function should only be callable by other functions within the same module or specific external entities. However, in the version of the bridge studied by CertiK, the function was modified with both “public(friend)” and “entry” modifiers, enabling anyone to call “publish_event” regardless of their status as an approved caller.
Exploiting this flaw, an attacker could have created fake transactions that appeared to move tokens between accounts, even though no actual tokens were being transferred. These “events” could have triggered the Ethereum version of the bridge to mint or unlock tokens without any legitimate deposits on the Aptos side. As a result, the attacker could have drained up to $5 million from the bridge.
CertiK informed the Wormhole team about the flaw on December 5, 2023. After conducting an investigation, the team developed and tested a patch to address the security loophole and notified the protocol’s Guardians about the issue. Through a multisignature vote, the Guardians approved the implementation of the patch, and the Aptos contract was upgraded with the new code. The process of fixing the flaw took approximately three hours, and the bridge is now secure against this exploit.
The new patch not only removed the “entry” keyword from the “publish_event” function but also limited the value of the “governor rate limits” on Aptos from $5 million to $1 million. This limitation prevents withdrawals from Aptos exceeding $1 million per day, reducing potential losses in the event of a future exploit. CertiK stated that the current usage is below $1 million per day, indicating that this rate limit should not affect most users.
To ensure user safety, Wormhole conducted a retrospective analysis to assess whether any funds had been affected by the flaw. They determined that no illicit transfers had occurred, and users’ balances remained secure.
While Wormhole has experienced security flaws in the past, such as the bug in the Solana part of the bridge that resulted in a loss of over $321 million, the team has since patched the bug and compensated affected users. In January, Wormhole successfully regained $1 billion in total value locked for the first time since the incident, indicating an improvement in their security practices.
Relatedly, a report highlights bugs in the Gains Network fork that allowed traders to profit 900% on every trade.