CertiK Uncovers $5M Security Flaw in Aptos’ Wormhole Bridge
According to a recent post on social media by CertiK, a blockchain security platform, a security vulnerability in the Wormhole bridge on the Aptos network was discovered and patched before any damage could occur. If left undetected, this flaw could have potentially resulted in losses worth $5 million. Aptos is a blockchain network that utilizes the MOVE programming language developed by Facebook for the Libra project. Those who support MOVE argue that it is a safer language for writing smart contracts compared to alternatives like Ethereum’s Solidity. CertiK’s report, presented in video format, explains that the vulnerability stemmed from an incorrect implementation of certain modifiers in the MOVE programming language.
The flaw specifically arose from the combination of the ‘public(friend)’ and ‘entry’ modifiers. The ‘public(friend)’ modifier allows a function to be called by other functions within the same module or by specified external accounts, while the ‘entry’ modifier indicates that a function can be called by any external account. In the case of the Wormhole bridge, a function called ‘publish_event’ was meant to be callable only by approved callers within the same module or specified external entities. Due to an error, this function was mistakenly modified by both ‘public(friend)’ and ‘entry’, enabling unauthorized users to call it.
Exploiting this vulnerability would have allowed an attacker to create fake transactions that appeared to transfer tokens between accounts, even though no actual tokens were being moved. This could have resulted in the minting or unlocking of tokens on the Ethereum side of the bridge without corresponding deposits on the Aptos side. CertiK estimated that an attacker could have potentially drained up to $5 million from the bridge as a result.
CertiK promptly reported the flaw to the Wormhole team on December 5, 2023. After investigating the issue, the team developed and tested a patch to address the security loophole. They then informed the Guardians of the protocol, who approved the patch via a multisignature vote. The Aptos contract was subsequently upgraded to implement the new code, resolving the vulnerability. The entire process took approximately three hours, and the updated version of the bridge is now secure.
In addition to fixing the ‘entry’ keyword in the ‘publish_event’ function, the patch also introduced limitations on the “governor rate limits” on Aptos. Previously set at $5 million, the new rate limit prevents withdrawals from Aptos exceeding $1 million per day. This measure was put in place to minimize potential losses in the event of future exploits. According to CertiK, the current usage of Aptos is below $1 million per day, indicating that most users should not be affected by this rate limit.
Wormhole conducted a retrospective analysis to determine if any user funds had been impacted by this vulnerability. Fortunately, they concluded that no funds had been illicitly transferred, and users’ balances remained secure. It’s worth noting that Wormhole has not always been successful in identifying and addressing security flaws before they are exploited. In a previous incident in 2022, the Solana portion of the bridge experienced a bug that resulted in losses of over $321 million. Wormhole patched the bug and compensated affected users. Despite this setback, Wormhole recently surpassed $1 billion in total value locked, suggesting that users have regained confidence in its improved security practices.
22 thoughts on “CertiK Uncovers $5M Security Flaw in Aptos’ Wormhole Bridge”
Leave a Reply
You must be logged in to post a comment.
Congratulations to CertiK for their successful detection and patching of the security vulnerability in the Aptos network! Our funds are in safe hands, thanks to their continued efforts. 🛡️💰
Token transfers appearing real but actually not? That’s a nightmare for users.
I’m relieved to know that CertiK’s vigilance and expertise prevented any damage from occurring due to the security vulnerability in the Wormhole bridge. Our investments are protected, thanks to their dedication!
Our investments are safe, thanks to CertiK’s diligent efforts in detecting and resolving the security vulnerability in the Wormhole bridge. Keep up the fantastic work, team!
It’s disappointing to see such a basic mistake in the implementation of modifiers. Can’t they get it right?
Three hours to fix the vulnerability? Seems like it should have been caught earlier. 😤
I hope the rate limit change doesn’t inconvenience legitimate users. They shouldn’t suffer for this flaw.
Celebrating CertiK’s success in patching the security vulnerability in the Aptos network! Their video report was informative and reassuring. Cheers to a safer blockchain ecosystem!
CertiK, you rock! Thank you for keeping our funds secure by identifying and reporting the security vulnerability in the Aptos network. We appreciate your dedication to protecting the crypto community!
These programming languages need to be more thoroughly tested before being used in such critical applications.
I’m glad no funds were illicitly transferred this time, but it’s clear that Wormhole has a lot to learn.
Crisis averted! The flaw in the MOVE programming language used by Aptos could have resulted in massive losses, but thanks to CertiK’s intervention, we can breathe a sigh of relief.
Another reminder that no system is completely secure. Aptos needs to up its game.
Hooray for CertiK and the Wormhole team for their swift response and successful patching of the security flaw in the Aptos network! They deserve a virtual round of applause.
This is why I don’t trust blockchain networks. They’re always finding flaws!
Thank you, CertiK, for keeping the crypto community safe and secure! Your efforts to detect and address vulnerabilities like this are crucial for maintaining confidence in the blockchain ecosystem. 🛡️🔒
So, the flaw was found and patched, but what about the possibility of other undetected vulnerabilities?
A massive virtual applause to CertiK for their exceptional work in securing the blockchain ecosystem! Their timely detection and resolution of the security vulnerability in Aptos have saved us from potential losses.
A big shout-out to CertiK for saving the day! Their expertise in blockchain security is unparalleled, and their quick action has protected our funds from potential losses. You guys rock!
CertiK’s expertise in blockchain security shines through once again! By patching the vulnerability in the Wormhole bridge, they have shown their commitment to safeguarding our investments. Well done! 🌟🛡️
Confidence restored! With CertiK’s discovery and swift resolution of the security vulnerability in Aptos, we can trust the Wormhole bridge to keep our funds secure. Thank you for your unwavering dedication to our safety!
It’s concerning to think that this flaw could have gone unnoticed if not for CertiK. Who’s guarding the guardians? 🤔