Fun

CertiK discovered $5M security flaw in Wormhole bridge on Aptos

News Feed - 2024-05-14 04:05:01

Christopher Roark4 hours agoCertiK discovered $5M security flaw in Wormhole bridge on AptosA flaw in the bridge could have allowed an attacker to produce fake token transfers, but it was discovered and patched before anyone could take advantage of it.505 Total views1 Total sharesListen to article 0:00NewsOwn this piece of crypto historyCollect this article as NFTJoin us on social networksA security flaw in the Wormhole bridge on Aptos network could have resulted in $5 million worth of losses had it not been discovered, according to a social media post from blockchain security platform CertiK. The platform claimed to have discovered the bug and reported it to the Wormhole team before it could be expl. The flaw has been patched, and the bridge is no longer vulnerable.Source: CertiK.


Aptos is a blockchain network that uses the MOVE programming language, which was originally developed by Facebook for the Libra project. Supporters of MOVE claim that it is a safer language to write smart contracts when compared to Ethereum’s Solidity or other alternatives.


The CertiK report was posted in the form of a video. It claimed the flaw “arose from an incorrect implementation of the ‘public(friend)’ and ‘entry’ modifiers in the MOVE programming language.” The ‘public(friend)’ modifier allows a function to be called by other functions within the same module or by external accounts specified on a “friends list,” but not by other callers. On the other hand, the ‘entry’ modifier specifies that a function can be called by any external account.


The bridge contained a function called ‘publish_event,” which was used to announce events such as token transfers. It was only supposed to be callable by other functions within the same module or by certain “specified external entities.” However, in the version of the bridge that CertiK studied, the function was modified by both ‘public(friend)’ and ‘entry.’ This made it possible for anyone to call ‘publish_event,” even if they were not an approved caller.


Because of this flaw, an attacker could have created fake transactions that appeared to move tokens from one account to another, even though no actual tokens were being moved. These “events” could have caused the Ethereum version of the bridge to mint or unlock tokens without having any real deposits backing them on the Aptos side. As a result, the attacker could have drained up to $5 million worth of funds from the bridge, CertiK stated.


CertiK informed members of the Wormhole team about the flaw on Dec 5, 2023. After investigating the report, the team developed and tested a patch to close the security loophole and informed the protocol’s Guardians of the issue. Via a multisignature vote, the Guardians approved the patch to be implemented, and the protocol’s Aptos contract was upgraded to implement the new code. Once the flaw was reported, the process of fixing it took approximately three hours, and the new version of the bridge is no longer vulnerable to this exploit.Wormhole Aptos exploit timeline. Source: CertiK.


In addition to removing the ‘entry’ keyword from the publish_event function, the new patch also restricted the value of the “governor rate limits” on Aptos from $5 million to $1 million, effectively preventing withdrawals from Aptos of greater than $1 million per day. This was done to limit losses in case of a future exploit. Current usage is below $1 million per day, CertiK claimed, implying that the rate limit shouldn’t affect most users.


Wormhole also performed a “retrospective analysis” to determine whether any user funds had been affected by the issue. They concluded that no funds had been illicitly transferred and that users’ balances were safe.


Wormhole hasn’t always managed to catch security flaws before they are exploited. In 2022, it lost more than $321 million when a bug in the Solana part of the bridge allowed an attacker to mint unbacked tokens. However, the team later patched the bug and compensated users. In January, Wormhole reclaimed $1 billion in total value locked for the first time since the incident, showing that some users feel its security practices have improved.


Related:Bugs in Gains Network fork let traders profit 900% on every trade: Report# Ethereum# Hackers# Cybersecurity# Scams# Hacks# DeFiAdd reaction

News Feed
AI tokens rally amid Nvidia’s breakout earnings
Zhiyuan Sun8 hours agoAI tokens rally amid Nvidia’s breakout earningsDemand for AI has soared this year, with some experts labeling the adoption of the technology as the Fourth Industrial Revolution.5026 Total views26
2024-02-27 00:42 AM
IMF Chief Economist Says ‘Regulation Is Absolutely Important’ for Crypto Sector
IMF Chief Economist Says "Regulation Is Absolutely Important" for Crypto Sector The chief economist at the International Monetary Fund (IMF) says that regulation is “absolut
2021-12-19 10:00 AM
Talent Giant UTA Signs Prominent NFT Projects Cryptopunks, Autoglyphs, and Meebits
Talent Giant UTA Signs Prominent NFT Projects Cryptopunks, Autoglyphs, and Meebits On Tuesday, the global talent, sports, and entertainment agency, United Talent Agency (UTA), anno
2021-09-02 00:00 AM
Report Shows Crypto News Publication The Block Was Secretly Funded by Bankman-Fried’s Alameda
Report Shows Crypto News Publication The Block Was Secretly Funded by Bankman-Fried"s Alameda On Dec. 9, 2022, Axios reporter Sara Fischer reported on the CEO of the crypto media T
2022-12-10 07:30 AM
South Korean Prosecutors Uncover Alleged $314 Million Criminal Proceeds Tied to Terraform Labs Co-Founders
South Korean Prosecutors Uncover Alleged $314 Million Criminal Proceeds Tied to Terraform Labs Co-Founders According to a report by South Korean news publication KBS, Do Kwon, the
2023-04-07 23:00 PM
How Foresight Ventures Is Approaching Investments in the Current Market Environment
How Foresight Ventures Is Approaching Investments in the Current Market Environment The Foresight Ventures founding and partnership team includes veterans of some of the top financ
2022-07-01 08:00 AM
These Online Stores Are Bitcoin Only
These Online Stores Are Bitcoin Only The number of stores that accept cryptocurrencies such as BTC and BCH is growing. But while such stores will accept bitcoin alongside existin
2020-01-21 16:20 PM
Tron’s Stablecoin USDD Falls to $0.97, USDC Deployed to Defend the $1 Parity
Tron"s Stablecoin USDD Falls to $0.97, USDC Deployed to Defend the $1 Parity After the Terra UST fallout and the current crypto market volatility, many eyes have been focused on th
2022-06-14 04:30 AM
Germany already lost out on $124M profit selling its Bitcoin
Yashu Gola4 hours agoGermany already lost out on $124M profit selling its BitcoinThe State of Saxony, gripped by fears of a sudden Bitcoin price crash, hastily ordered the sale of its 50,000 BTC stash.3619 Total views8 T
2024-07-22 04:07 AM
Game Space: One of the First GaaS “GameFi as a Service” Platform
Game Space: One of the First GaaS “GameFi as a Service"" Platform sponsored On April 22nd Michael Cameron the CEO and Co-founder of Game Space announced that it has released one o
2022-04-23 08:00 AM
Kevin O’Leary Expects Bitcoin to Go up When Stablecoin Transparency Act Passes
Kevin O"Leary Expects Bitcoin to Go up When Stablecoin Transparency Act Passes Shark Tank star Kevin O’Leary, aka Mr. Wonderful, expects the price of bitcoin to go up when th
2022-10-17 12:30 PM
pax․world: A Token Must Be an Economic Bedrock Not a Collectable Gimmick for the Metaverse to Thrive
pax․world: A Token Must Be an Economic Bedrock Not a Collectable Gimmick for the Metaverse to Thrive sponsored This week, pax.world launched $PAXW, its proprietary utility token f
2022-10-31 22:45 PM