Fun

CertiK discovered $5M security flaw in Wormhole bridge on Aptos

News Feed - 2024-05-14 04:05:01

Christopher Roark4 hours agoCertiK discovered $5M security flaw in Wormhole bridge on AptosA flaw in the bridge could have allowed an attacker to produce fake token transfers, but it was discovered and patched before anyone could take advantage of it.505 Total views1 Total sharesListen to article 0:00NewsOwn this piece of crypto historyCollect this article as NFTJoin us on social networksA security flaw in the Wormhole bridge on Aptos network could have resulted in $5 million worth of losses had it not been discovered, according to a social media post from blockchain security platform CertiK. The platform claimed to have discovered the bug and reported it to the Wormhole team before it could be expl. The flaw has been patched, and the bridge is no longer vulnerable.Source: CertiK.


Aptos is a blockchain network that uses the MOVE programming language, which was originally developed by Facebook for the Libra project. Supporters of MOVE claim that it is a safer language to write smart contracts when compared to Ethereum’s Solidity or other alternatives.


The CertiK report was posted in the form of a video. It claimed the flaw “arose from an incorrect implementation of the ‘public(friend)’ and ‘entry’ modifiers in the MOVE programming language.” The ‘public(friend)’ modifier allows a function to be called by other functions within the same module or by external accounts specified on a “friends list,” but not by other callers. On the other hand, the ‘entry’ modifier specifies that a function can be called by any external account.


The bridge contained a function called ‘publish_event,” which was used to announce events such as token transfers. It was only supposed to be callable by other functions within the same module or by certain “specified external entities.” However, in the version of the bridge that CertiK studied, the function was modified by both ‘public(friend)’ and ‘entry.’ This made it possible for anyone to call ‘publish_event,” even if they were not an approved caller.


Because of this flaw, an attacker could have created fake transactions that appeared to move tokens from one account to another, even though no actual tokens were being moved. These “events” could have caused the Ethereum version of the bridge to mint or unlock tokens without having any real deposits backing them on the Aptos side. As a result, the attacker could have drained up to $5 million worth of funds from the bridge, CertiK stated.


CertiK informed members of the Wormhole team about the flaw on Dec 5, 2023. After investigating the report, the team developed and tested a patch to close the security loophole and informed the protocol’s Guardians of the issue. Via a multisignature vote, the Guardians approved the patch to be implemented, and the protocol’s Aptos contract was upgraded to implement the new code. Once the flaw was reported, the process of fixing it took approximately three hours, and the new version of the bridge is no longer vulnerable to this exploit.Wormhole Aptos exploit timeline. Source: CertiK.


In addition to removing the ‘entry’ keyword from the publish_event function, the new patch also restricted the value of the “governor rate limits” on Aptos from $5 million to $1 million, effectively preventing withdrawals from Aptos of greater than $1 million per day. This was done to limit losses in case of a future exploit. Current usage is below $1 million per day, CertiK claimed, implying that the rate limit shouldn’t affect most users.


Wormhole also performed a “retrospective analysis” to determine whether any user funds had been affected by the issue. They concluded that no funds had been illicitly transferred and that users’ balances were safe.


Wormhole hasn’t always managed to catch security flaws before they are exploited. In 2022, it lost more than $321 million when a bug in the Solana part of the bridge allowed an attacker to mint unbacked tokens. However, the team later patched the bug and compensated users. In January, Wormhole reclaimed $1 billion in total value locked for the first time since the incident, showing that some users feel its security practices have improved.


Related:Bugs in Gains Network fork let traders profit 900% on every trade: Report# Ethereum# Hackers# Cybersecurity# Scams# Hacks# DeFiAdd reaction

News Feed

Bitcoin, Ethereum Technical Analysis: BTC Surges Above $22,000 Ahead of NFP Report
Bitcoin, Ethereum Technical Analysis: BTC Surges Above $22,000 Ahead of NFP Report Ahead of the latest nonfarm payrolls report, bitcoin rose to a multi-week high above $22,000 on F
Jesse Coghlan5 hours agoMiami Heat’s Jimmy Butler seeks dismissal from Binance promo class suitLawyers for the basketball star claim he did not mention any alleged securities but instead warned of celebrities promoting
Fidelity Optimistic About Bitcoin Regulation Under Biden Administration — Sees Strong Institutional Demand
Fidelity Optimistic About Bitcoin Regulation Under Biden Administration — Sees Strong Institutional Demand Fidelity Digital Assets President Tom Jessop has sha
This Crowdsourced Project Attempts to Reveal American Politicians That Own Bitcoin
This Crowdsourced Project Attempts to Reveal American Politicians That Own Bitcoin On September 19, 2021, the software developer and cofounder of Casa, Jameson Lopp, announced a ne
Savannah Fortis14 hours agoOpenAI and Microsoft partner with Humane on wearable AI pinAI startup Humane launched the wearable virtual assistant AI Pin that is embedded with technology from OpenAI and cloud computing serv
Bitcoin to enter pre-halving ’danger zone,’ but crypto CEOs remain bullish
Jesse Coghlan6 hours agoBitcoin to enter pre-halving ’danger zone,’ but crypto CEOs remain bullishBitcoin has historically dipped in the weeks before the halving and might repeat such a move within the next week.7976
Equalizer DEX hacker drains funds: Users warned, investigation underway
Josh O"Sullivan13 hours agoEqualizer DEX hacker drains funds: Users warned, investigation underwayA hacker has siphoned tokens through a series of unauthorized transactions, leaving the crypto community in shock.2909 Tot
Bitcoin, Ethereum Technical Analysis: ETH Back Above $2,100, as BTC Rebounds From 1-Week Low
Bitcoin, Ethereum Technical Analysis: ETH Back Above $2,100, as BTC Rebounds From 1-Week Low Ethereum moved back above $2,100 on Tuesday, as markets reacted to the latest gross dom
Crypto Market Is ‘Development Vector’ of Nation’s Digital Economy, Ukraine President Says
Crypto Market Is ‘Development Vector’ of Nation’s Digital Economy, Ukraine President Says President of Ukraine Volodymyr Zelensky has highlighted the importance of launching
Arizona Senator Launches Bill to Make Bitcoin Legal Tender
Arizona Senator Launches Bill to Make Bitcoin Legal Tender A senator in the U.S. state of Arizona has introduced a set of cryptocurrency bills, one of which seeks to make bitcoin l
Coinbase earnings suggest strong year ahead, though challenges abound
Sandeep Rao10 hours agoCoinbase earnings suggest strong year ahead, though challenges aboundCoinbase"s quarterly earnings report released last week indicated the company is well-positioned to tap into a number of growing
Arijit Sarkar2 hours agoSEC seeks summary judgment in Do Kwon and Terraform Labs caseThe “evidence” of violations provided by the SEC points to Kwon’s involvement in misleading crypto investors by creating and mark