08 Dec 2023

3 min read

Report on Certik’s Aptos-Related Bug Bounty

Share:

On Tuesday December 5th, 2023, the Wormhole Bug Bounty Program received a report from Certik about a bug in the Aptos contracts for Wormhole.  This bug was quickly confirmed as valid, a patch was developed, governance was performed and the fix was deployed on chain within hours.

We’d like to extend our gratitude to the Certik team for their professionalism and responsible disclosure along with the fact that no users were impacted.  We are incredibly grateful for the vibrant community of white-hats working around the clock to keep Wormhole and the broader crypto ecosystem safe!

Timeline of Events

The following is a recount of the events in the order in which they occurred.

Time

Action

2023-12-05 @ ~18.16 UTC

Certik files Bounty Report to Immunefi

2023-12-05 @ ~18.17 UTC

Certik also reaches out to Wormhole Security Contributors directly on Slack

2023-12-05 @ ~18.17 UTC

Immunefi filtering begins evaluating the report for spam/validity

2023-12-05 @ ~18.36 UTC

Immunefi escalates to Wormhole PagerDuty

2023-12-05 @ ~18.41 UTC

Wormhole Security Contributors establish a war room to analyze the report.

2023-12-05 @ ~19.47 UTC

Wormhole Security Contributors confirm the report as valid.

2023-12-05 @ ~19.54 UTC

Wormhole Security Contributors develop and test a security patch and get sign off from Wormhole Security Council members.

2023-12-05 @ ~21.21 UTC

Wormhole Security Contributors propose governance action for Guardians

2023-12-05 @ ~21.37 UTC

14 of 19 Guardians sign governance action.

2023-12-05 @ ~21.38 UTC

Wormhole Security Contributors apply a security patch to the Aptos contracts.

Technical Analysis

The bug itself was relatively simple in nature. On move contracts in Aptos, public(friend) functions are essentially internal and only callable by other functions in the same module or functions explicitly defined in the friend list. This modifier was applied to the publish_event() function.

However, when the entry modifier is applied to an existing public(friend) function, it has the side effect of making it callable by anyone. This allows anyone to publish a token transfer event with a payload containing arbitrary token and token amounts without any actual token transfer happening.

The security fix was simply to remove this modifier, which made the method no longer publicly callable. Wormhole security contributors conducted a thorough review of all contract transactions, tracing them back through their initial creation.  This review confirmed that the bug was never exploited in the wild and user funds were never impacted.

Due to Wormhole's defense-in-depth approach, the potential token-based risk exposure was limited to $5M, as constrained by the Governor and Accountant safety mechanisms.  Additionally, a retroactive analysis of volume coming from Aptos over the past six months resulted in Guardians drawing down the daily Governor limit this week from $5M to $1M per 24hr period to be more inline with current usage.

Parting Thoughts

We’re very proud of the Wormhole Bug Bounty Program and its significant contribution to the overall Wormhole Security Program.  This recent announcement highlights its strategic importance.  Although the contracts in question were carefully reviewed internally by Wormhole security contributors and externally audited by other best-in-class, third party auditing firms before deployment, this case reinforces the necessity of a multi-layered security program that includes both a robust bug bounty program and a strong community of white-hat hackers.

For those interested in supporting and securing the Wormhole ecosystem, check out the Wormhole Bug Bounty Program.

Stay up to date with the latest news

Here’s your chance to get in on this one.