Fun

CertiK discovered $5M security flaw in Wormhole bridge on Aptos

News Feed - 2024-05-14 04:05:01

Christopher Roark4 hours agoCertiK discovered $5M security flaw in Wormhole bridge on AptosA flaw in the bridge could have allowed an attacker to produce fake token transfers, but it was discovered and patched before anyone could take advantage of it.505 Total views1 Total sharesListen to article 0:00NewsOwn this piece of crypto historyCollect this article as NFTJoin us on social networksA security flaw in the Wormhole bridge on Aptos network could have resulted in $5 million worth of losses had it not been discovered, according to a social media post from blockchain security platform CertiK. The platform claimed to have discovered the bug and reported it to the Wormhole team before it could be expl. The flaw has been patched, and the bridge is no longer vulnerable.Source: CertiK.


Aptos is a blockchain network that uses the MOVE programming language, which was originally developed by Facebook for the Libra project. Supporters of MOVE claim that it is a safer language to write smart contracts when compared to Ethereum’s Solidity or other alternatives.


The CertiK report was posted in the form of a video. It claimed the flaw “arose from an incorrect implementation of the ‘public(friend)’ and ‘entry’ modifiers in the MOVE programming language.” The ‘public(friend)’ modifier allows a function to be called by other functions within the same module or by external accounts specified on a “friends list,” but not by other callers. On the other hand, the ‘entry’ modifier specifies that a function can be called by any external account.


The bridge contained a function called ‘publish_event,” which was used to announce events such as token transfers. It was only supposed to be callable by other functions within the same module or by certain “specified external entities.” However, in the version of the bridge that CertiK studied, the function was modified by both ‘public(friend)’ and ‘entry.’ This made it possible for anyone to call ‘publish_event,” even if they were not an approved caller.


Because of this flaw, an attacker could have created fake transactions that appeared to move tokens from one account to another, even though no actual tokens were being moved. These “events” could have caused the Ethereum version of the bridge to mint or unlock tokens without having any real deposits backing them on the Aptos side. As a result, the attacker could have drained up to $5 million worth of funds from the bridge, CertiK stated.


CertiK informed members of the Wormhole team about the flaw on Dec 5, 2023. After investigating the report, the team developed and tested a patch to close the security loophole and informed the protocol’s Guardians of the issue. Via a multisignature vote, the Guardians approved the patch to be implemented, and the protocol’s Aptos contract was upgraded to implement the new code. Once the flaw was reported, the process of fixing it took approximately three hours, and the new version of the bridge is no longer vulnerable to this exploit.Wormhole Aptos exploit timeline. Source: CertiK.


In addition to removing the ‘entry’ keyword from the publish_event function, the new patch also restricted the value of the “governor rate limits” on Aptos from $5 million to $1 million, effectively preventing withdrawals from Aptos of greater than $1 million per day. This was done to limit losses in case of a future exploit. Current usage is below $1 million per day, CertiK claimed, implying that the rate limit shouldn’t affect most users.


Wormhole also performed a “retrospective analysis” to determine whether any user funds had been affected by the issue. They concluded that no funds had been illicitly transferred and that users’ balances were safe.


Wormhole hasn’t always managed to catch security flaws before they are exploited. In 2022, it lost more than $321 million when a bug in the Solana part of the bridge allowed an attacker to mint unbacked tokens. However, the team later patched the bug and compensated users. In January, Wormhole reclaimed $1 billion in total value locked for the first time since the incident, showing that some users feel its security practices have improved.


Related:Bugs in Gains Network fork let traders profit 900% on every trade: Report# Ethereum# Hackers# Cybersecurity# Scams# Hacks# DeFiAdd reaction

News Feed

Ana Paula Pereira3 hours agoAlchemix reports return of all stolen funds from Curve poolsThe attacker started returning stolen funds after accepting nearly $7 million in bug bounty. Funds had been returned to Alchemix and
Helen Partz21 minutes agoSouth Korean city to seize crypto from thousands of tax evaders: ReportCity authorities of Cheongju are looking to seize cryptocurrency from anyone who owes at least $750 in crypto taxes to the g
Malaysia adopts Worldcoin for personal verification and digital ID
Amaka Nwaokocha11 hours agoMalaysia adopts Worldcoin for personal verification and digital IDMalaysia aims to tackle national challenges and unlock economic opportunities by adopting cutting-edge biometric verification t
Elizabeth Warren wants ‘level playing field’ for crypto and Big Tech AI blocks
Martin Young2 hours agoElizabeth Warren wants ‘level playing field’ for crypto and Big Tech AI blocksThe U.S. senator wants crypto and traditional finance to play by the same rules and for tech giants to be barred fr
Limitless Bailouts: US Federal Reserve Announces Billion-Dollar Corporate Bond Purchase Program
Limitless Bailouts: US Federal Reserve Announces Billion-Dollar Corporate Bond Purchase ProgramDuring the last three months, the U.S. Federal Reserve has created a system of monetar
Deloitte: 82% of Indians Surveyed Plan to Invest in Crypto Once Government Provides Regulatory Clarity
Deloitte: 82% of Indians Surveyed Plan to Invest in Crypto Once Government Provides Regulatory Clarity A recent survey by Deloitte shows that 82% of Indians plan to invest in crypt
Aurora Labs Launches Turnkey Blockchain Solution for Businesses Transitioning to Web3
Aurora Labs Launches Turnkey Blockchain Solution for Businesses Transitioning to Web3 press release PRESS RELEASE.Aurora Cloud is the all-in-one cloud infrastructure solution bridgi
Magic Eden Foundation launches ME token for cross-chain trading
Josh O"Sullivan10 hours agoMagic Eden Foundation launches ME token for cross-chain tradingThe Magic Eden Foundation introduces the ME token to enhance cross-chain trading, driving NFT platform expansion and DApp integrat
Coinbase CEO Brian Armstrong: AI ‘should have crypto wallets’
Tristan Greene7 hours agoCoinbase CEO Brian Armstrong: AI ‘should have crypto wallets’Armstrong’s statements come as Coinbase launches a $15K bot accelerator.1285 Total views3 Total sharesListen to article 0:00News
Bitcoin drops to $63K, fails to rebound after Fed hints at future interest rate cuts
Nancy Lubale2 hours agoBitcoin drops to $63K, fails to rebound after Fed hints at future interest rate cutsBitcoin surprised traders by opening the week in the red, and the Federal Reserve’s announcement about future r
The Beginner’s Guide to Buying Goods on the Darknet
The Beginner’s Guide to Buying Goods on the Darknet Darknet markets (DNMs) supply all manner of goods, some legal, others less so, but all purchasable with cryptocurrency and d
Felix Ng7 hours agoMicroStrategy returns to profit and now owns $4.4B worth of BitcoinMichael Saylor’s MicroStrategy held 152,800 Bitcoin as of July 31, and is back in the black.4451 Total views31 Total sharesListen to