Connect with us

Hi, what are you looking for?

Cyber Security

Blockchain bridge Wormhole pays record $10m bug bounty reward

An ethical hacker has earned a record $10 million bug bounty reward after discovering a critical security vulnerability in the Wormhole core bridge contract on Ethereum.

Wormhole is a decentralized, universal message-passing protocol that enables interoperability between blockchains such as Ethereum, Terra, and Binance Smart Chain (BSC).

Held to ransom

An attacker exploiting the vulnerability “could have held the entire protocol [to] ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever”, according to a proof of concept (PoC) posted to GitHub by Immunefi.

The PoC also noted that “$736 million worth of assets [were] residing in the contract at the time of submission”.

Wormhole awarded the maximum payout under its Immunefi-hosted bug bounty program to a bug hunter with the online pseudonym ‘satya0x’.

The flaw, described as “an upgradeable proxy implementation self-destruct bug”, was validated and patched on February 24, the same day Satya0x reported the issue.

Behind the bug

The Wormhole vulnerability arose after an implementation for a Universal Upgradeable Proxy Standard (UUPS) proxy “was uninitialized after a previous bugfix had reverted the original initialization, which meant an attacker could pass their own Guardian set and proceed with the upgrade as a Guardian they controlled”, according to a blog post published by Immunefi.

An attacker could then force an upgrade attempt with submitContractUpgrade(), causing a DELEGATECALL to an attacker-submitted address, which by executing a SELFDESTRUCT opcode could destroy the implementation contract.

“I am proud to have played a role in mitigating a serious vulnerability and a systemic threat to the ecosystem,” said Satya0x, who praised Wormhole’s handling of “the entire bug bounty process” and Immunefi as “a knowledgeable, visible, and credibly neutral third party”.

Blockchain bonanza

The motive for offering such a huge reward is illustrated by the frequent, enormous losses resulting from successful hacks of Decentralized Finance (DeFi) platforms – not least the $325 million stolen from Wormhole itself earlier this year.

The payout eclipses the previous bug bounty record – a $2 million reward paid by blockchain technology company Polygon to ethical hacker Gerhard Wagner in October 2021 for a ‘double spend’ vulnerability.

To put the Wormhole reward into even sharper perspective, the sum is larger than the total amount paid out across all Google Vulnerability Reward Programs (VRPs) in 2021, $8.7 million.

MakerDAO, another decentralized finance (DeFi) platform, is also offering a potential maximum payout of $10 million.

Source: https://portswigger.net/daily-swig/blockchain-bridge-wormhole-pays-record-10m-bug-bounty-reward

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO