Critical security flaw patched on the same day it was submitted

Blockchain bridge Wormhole pays record $10m bug bounty reward

An ethical hacker has earned a record $10 million bug bounty reward after discovering a critical security vulnerability in the Wormhole core bridge contract on Ethereum.

Wormhole is a decentralized, universal message-passing protocol that enables interoperability between blockchains such as Ethereum, Terra, and Binance Smart Chain (BSC).

Held to ransom

An attacker exploiting the vulnerability “could have held the entire protocol [to] ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever”, according to a proof of concept (PoC) posted to GitHub by Immunefi.

The PoC also noted that “$736 million worth of assets [were] residing in the contract at the time of submission”.

Wormhole awarded the maximum payout under its Immunefi-hosted bug bounty program to a bug hunter with the online pseudonym ‘satya0x’.

Catch up and the latest bug bounty news and analysis

The flaw, described as “an upgradeable proxy implementation self-destruct bug”, was validated and patched on February 24, the same day Satya0x reported the issue.

Behind the bug

The Wormhole vulnerability arose after an implementation for a Universal Upgradeable Proxy Standard (UUPS) proxy “was uninitialized after a previous bugfix had reverted the original initialization, which meant an attacker could pass their own Guardian set and proceed with the upgrade as a Guardian they controlled”, according to a blog post published by Immunefi.

RECOMMENDED US revises policy regarding Computer Fraud and Abuse Act, will not prosecute good faith research

An attacker could then force an upgrade attempt with submitContractUpgrade(), causing a DELEGATECALL to an attacker-submitted address, which by executing a SELFDESTRUCT opcode could destroy the implementation contract.

“I am proud to have played a role in mitigating a serious vulnerability and a systemic threat to the ecosystem,” said Satya0x, who praised Wormhole’s handling of “the entire bug bounty process” and Immunefi as “a knowledgeable, visible, and credibly neutral third party”.

Blockchain bonanza

The motive for offering such a huge reward is illustrated by the frequent, enormous losses resulting from successful hacks of Decentralized Finance (DeFi) platforms – not least the $325 million stolen from Wormhole itself earlier this year.

The payout eclipses the previous bug bounty record – a $2 million reward paid by blockchain technology company Polygon to ethical hacker Gerhard Wagner in October 2021 for a ‘double spend’ vulnerability.

Read more of the latest blockchain security news

To put the Wormhole reward into even sharper perspective, the sum is larger than the total amount paid out across all Google Vulnerability Reward Programs (VRPs) in 2021, $8.7 million.

MakerDAO, another decentralized finance (DeFi) platform, is also offering a potential maximum payout of $10 million.

RECOMMENDED UK government sits out bug bounty boom but welcomes vulnerability disclosure