cryptonews.net
According to a social media post by blockchain security platform CertiK, a security flaw in the Wormhole bridge on Aptos network could have resulted in $5 million worth of losses had it not been discovered. The platform said it discovered the bug and reported it to the Wormhole team. The bug has been fixed and the bridge is no longer vulnerable.
The CertiK report was posted as a video. It claimed that the flaw “occurred due to incorrect implementation of the public(friend)” and “entry” modifiers in the MOVE programming language. The public(friend) modifier allows the function to be called by other functions in the same module or by external accounts specified in the “friends list”, but not by other callers. On the other hand, the “entry” modifier indicates that the function can be called from any external account.
Because of this flaw, an attacker could have created fake transactions that appeared to move tokens from one account to another, even though no actual tokens were being moved. These “events” could have caused the Ethereum version of the bridge to mint or unlock tokens without having any real deposits backing them on the Aptos side. As a result, the attacker could have drained up to $5 million worth of funds from the bridge, CertiK stated.
Image: Pintu