CertiK found a major vulnerability in Aptos' Wormhole bridge that could have resulted in a $5 million hack.
The bug was based on flaws in the MOVE programming language implementation and would have easily allowed hackers to steal fund
The Wormhole team patched the vulnerability within three hours and implemented safeguards to limit future hacks.
This isn't the first time Wormhole has been exploited, with a previous hack resulting in a $320 million loss in 2022.
In what would have turned out as a disaster, a possible crash and thousands of devastated investors, a blockchain security company recently caught a massive bug in the Wormhole bridge on the Aptos network, before malicious actors did.
In total, if this flaw had been found by the wrong person (or people) Aptos investors might have had to deal with a massive $5 million worth of unauthorized transfers, adding to the growing list of hacks in 2024.
Aptos is a relatively new blockchain, compared to most of the other top 100 blockchains.
The Aptos network was built on top of Facebook's Libra initiative and uses the MOVE programming language, which features advanced security features.
The MOVE programming language is also one of the most robust languages when it comes to smart contract creation, offering more solid advantages than the traditional Solidity programming language that Ethereum uses.
This is where things get heated up.
CertiK upon investigation, found that the vulnerability came from an error in the ‘public(friend)’ and ‘entry’ modifiers in MOVE.
To put things simply, these modifiers control access to functions and prevent unauthorized users from accessing them.
These modifiers were found to be exposed to ANY caller and could have been found by anyone curious enough to go looking.
The flaw in Aptos' smart contracts could have presented an opportunity for any hacker to simulate token transfers between accounts, without actually moving anything.
Doing this would have confused the Ethereum-based parts of the Wormhole bridge into releasing actual tokens, and allowing the attacker to drain funds.
The Wormhole flaw announcement
CertiK revealed that it discovered the flaw and reported it to the Wormhole team.
Soon after this, both parties got to work, patching, developing and testing the protocol once again, before arriving at a fix in a mere three hours.
Soon after the vulnerability was patched, the Wormhole team added safeguards to their protocol, including reducing the ‘governor rate limits’ to allow users to withdraw only $1 million per day, instead of $5 million.
This means that in the event of any hacks in the future, the hacker(s) might only be able to escape with around $1 million before being tracked down, instead of the previous $5 million limit.
So far, Wormhole has confirmed that no user funds were lost and that it remains committed to keeping user assets safe.
Keep in mind that something like this happened before in February 2022, when an attacker was able to exploit a vulnerability between the smart contracts connecting Ethereum and Solana.
At the end of the day, the hacker was able to steal roughly 120,000 wrapped Ether (wETH) tokens, which were worth around $320 million at the time.
In February 2023, a year later, Web3 firms, Jump Crypto and Oasis.app conducted a "counter exploit" on the Wormhole protocol hacker and were able to recover a total of $225 million.
Overall, the Wormhole team’s commitment to finding and thrashing out flaws, as well as CertiK’s involvement show a proactive approach to keeping funds safe and maintaining trust within the blockchain ecosystem.
Disclaimer: Voice of Crypto aims to deliver accurate and up-to-date information, but it will not be responsible for any missing facts or inaccurate information. Cryptocurrencies are highly volatile financial assets, so research and make your own financial decisions.