Bridge hacks were incidents that caught the attention of Vitalik Buterin in early 2022 and subsequently caused significant headaches for investors. Millions of dollars were stolen from the Ronin bridge. Now, a critical vulnerability that could lead to even greater losses in the future has been discovered early. The vulnerability found in the Aptos network was due to the misuse of the MOVE coding language. Here are the details.
Critical Security Vulnerability
CertiK is one of the well-known cybersecurity and auditing firms in the crypto space. Before smart contracts go live, if they do not intend to defraud their investors, they obtain code review services from auditing firms like CertiK. These firms identify vulnerabilities in smart contracts and patch them.
In addition to similar processes to penetration tests conducted by traditional cybersecurity firms, those in crypto focus on coding errors, which are a major issue. Overlooked flaws in the code that attackers can exploit as entry points can lead to massive losses. According to a social media post by CertiK, one such critical flaw was detected in the Wormhole bridge on the Aptos network.
The platform announced that it had discovered the error and had contacted the Wormhole team. Since it is not heavily used yet, a hack at this stage could have resulted in a loss of at least $5 million.
Aptos Security Vulnerability
The Aptos network, built with the MOVE language developed for Facebook’s famous Libra project, is currently among the networks competing with Solana. Developers had thought until now that the MOVE language was safer compared to others. However, according to the company’s report, the flaw mentioned in the first section was due to the incorrect use of the MOVE language. The team said;
“It stems from the incorrect application of the ‘public(friend)’ and ‘entry’ modifiers in the MOVE programming language. The ‘public(friend)’ modifier allows a function to be called by other functions within the same module or by external accounts specified on a ‘friends list’, but not by other callers. On the other hand, the ‘entry’ modifier indicates that a function can be called by any external account.”
The team coding the bridge caused this vulnerability due to the exploitable design of the ‘publish_event’ function. Setting aside these technical jargons, we could have seen a malicious actor use the code vulnerability to transfer non-existent tokens across the bridge and sell them on the other side. The assets passing through the bridge are first collateralized and then the local versions are unlocked on the network. The new patch removed the ‘entry’ keyword from the publish_event function, eliminating the vulnerability. Wormhole had suffered a loss of $321 million in 2022 due to a similar flaw.
