Full Report
Wormhole is the largest cross-chain bridge. As such, it connects with many, many different blockchains and programming languages. In Aptos, public(friend) functions are practically internal functions that cannot be called by the outside world. In particular, they can only be called by the same module or functions within the friend list. The function publish_event is for a Wormhole smart contract emitting an event that triggers offchain code, such as a relayer, to process it. Unfortunately, when you add a modifier (code that runs before or after a function) to it, the public(friend) is now callable by anyone. As a consequence, anybody can publish a token transfer event on the Aptos blockchain. Overall, a fairly simple bug in a weird contract ecosystem. The amount at risk was at 5M because of the Global Accountant mechanism. Additionally, there is a limit on the amount of funds that can be taken out in a given week depending on previous usage. I find these defense in depth protections amazing! We need more things like this to prevent hacks from stealing billions.
Analysis Summary
# Vulnerability: Unauthorized Event Emission in Wormhole Aptos Smart Contract
## CVE Details
- **CVE ID:** N/A (Smart contract specific vulnerability, common for DeFi protocols)
- **CVSS Score:** Estimated 8.6 (High) - `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N`
- **CWE:** CWE-284: Improper Access Control / CWE-664: Control of a Resource Through its Lifetime
## Affected Systems
- **Products:** Wormhole Cross-Chain Bridge
- **Versions:** Affected versions of the Wormhole Move modules on the Aptos blockchain prior to the fix.
- **Configurations:** Specific to the Aptos implementation where `public(friend)` functions were utilized in conjunction with custom modifiers.
## Vulnerability Description
The flaw stems from a compiler or architectural quirk within the Aptos Move ecosystem regarding function visibility. In Move, `public(friend)` functions are intended to be restricted to modules or packages defined within a specific "friend" list, effectively acting as internal functions to the outside world.
In the Wormhole implementation, the `publish_event` function—responsible for triggering off-chain relayers to process bridge actions—was marked as `public(friend)`. However, the inclusion of a functional modifier (code intended to execute before or after the main function logic) inadvertently overrode the visibility restrictions. This caused the Aptos runtime to treat the function as a standard `public` function, making it invokable by any external account.
## Exploitation
- **Status:** Not exploited in the wild (Reported via bug bounty/audit).
- **Complexity:** Low
- **Attack Vector:** Network
- **Technical Detail:** An attacker could craft a transaction calling the `publish_event` function directly. By doing so, they could spoof token transfer events, tricking off-chain relayers into believing a legitimate transfer occurred on Aptos, potentially leading to unauthorized minting or withdrawals on other connected chains.
## Impact
- **Confidentiality:** None
- **Integrity:** High (Ability to forge cross-chain signals and potentially drain assets).
- **Availability:** Low
- **Financial Risk:** Approximately $5M was at immediate risk; however, broader systemic risk was mitigated by the "Global Accountant" and weekly withdrawal limits.
## Remediation
### Patches
- The Wormhole Foundation updated the Aptos smart contracts to correctly restrict access to the event publishing logic.
- Ensure that Move-based contracts do not combine `public(friend)` visibility with modifiers that may alter the compiled bytecode's accessibility.
### Workarounds
- **Defense in Depth:** The impact was limited by the "Global Accountant" mechanism, which tracks the total supply of assets across all chains to ensure they do not exceed the locked collateral.
- **Rate Limiting:** Transaction limits on a per-week basis acted as a circuit breaker.
## Detection
- **Indicators of Compromise:** Unusual calls to the `publish_event` function originating from accounts not listed in the "friend" module.
- **Detection methods and tools:** Monitoring of the Aptos blockchain for direct calls to the affected function address. Verification of on-chain event legitimacy against off-chain bridge logs.
## References
- Wormhole Foundation Report: hxxps[://]wormhole[.]com/blog/certik-aptos-report
- CertiK Security Audit: hxxps[://]www[.]certik[.]com/resources/blog
- Aptos Move Documentation: hxxps[://]aptos[.]dev/move/book/functions