Critical security flaw patched on the same day it was submitted
An ethical hacker has earned a record $10 million bug bounty reward after discovering a critical security vulnerability in the Wormhole core bridge contract on Ethereum.
Wormhole is a decentralized, universal message-passing protocol that enables interoperability between blockchains such as Ethereum, Terra, and Binance Smart Chain (BSC).
Held to ransom
An attacker exploiting the vulnerability “could have held the entire protocol [to] ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever”, according to a proof of concept (PoC) posted to GitHub by Immunefi.
The PoC also noted that “$736 million worth of assets [were] residing in the contract at the time of submission”.
Wormhole awarded the maximum payout under its Immunefi-hosted bug bounty program to a bug hunter with the online pseudonym ‘satya0x’.
The flaw, described as “an upgradeable proxy implementation self-destruct bug”, was validated and patched on February 24, the same day Satya0x reported the issue.
Behind the bug
The Wormhole vulnerability arose after an implementation for a Universal Upgradeable Proxy Standard (UUPS) proxy “was uninitialized after a previous bugfix had reverted the original initialization, which meant an attacker could pass their own Guardian set and proceed with the upgrade as a Guardian they controlled”, according to a blog post published by Immunefi.
An attacker could then force an upgrade attempt with submitContractUpgrade(), causing a DELEGATECALL to an attacker-submitted address, which by executing a SELFDESTRUCT opcode could destroy the implementation contract.
“I am proud to have played a role in mitigating a serious vulnerability and a systemic threat to the ecosystem,” said Satya0x, who praised Wormhole’s handling of “the entire bug bounty process” and Immunefi as “a knowledgeable, visible, and credibly neutral third party”.
The motive for offering such a huge reward is illustrated by the frequent, enormous losses resulting from successful hacks of Decentralized Finance (DeFi) platforms – not least the $325 million stolen from Wormhole itself earlier this year.
The payout eclipses the previous bug bounty record – a $2 million reward paid by blockchain technology company Polygon to ethical hacker Gerhard Wagner in October 2021 for a ‘double spend’ vulnerability.
To put the Wormhole reward into even sharper perspective, the sum is larger than the total amount paid out across all Google Vulnerability Reward Programs (VRPs) in 2021, $8.7 million.
MakerDAO, another decentralized finance (DeFi) platform, is also offering a potential maximum payout of $10 million.