CertiK, a blockchain security platform, recently uncovered a significant security flaw in the Wormhole bridge on the Aptos network. If left undiscovered, this flaw could have potentially resulted in losses amounting to $5 million. Fortunately, CertiK identified the bug and promptly reported it to the Wormhole team, who have since fixed the vulnerability.
The flaw was detailed in a video released by CertiK. It was attributed to an incorrect implementation of the public(friend) and “entry” modifiers within the MOVE programming language. The public(friend) modifier allows a function to be called by other functions within the same module or by external accounts specified in the “friends list,” but not by other callers. In contrast, the “entry” modifier enables the function to be called from any external account.
As a consequence of this flaw, malicious actors could have exploited the bridge by generating counterfeit transactions that appeared to transfer tokens between accounts. However, no actual tokens would have been moved during these transactions. These deceptive “events” could have led to the Ethereum version of the bridge minting or unlocking tokens without legitimate deposits supporting them on the Aptos side. Ultimately, this could have enabled the attacker to drain up to $5 million in funds from the bridge.
It is worth noting that CertiK’s quick identification of the security flaw and subsequent report to the Wormhole team prevented any potential losses and allowed for the necessary remediation steps to be implemented.