February 24, 2022
Logic error allowing obligation collateral to be liquidated at a quicker pace than the borrow is being repaid.
Days in Operation:
Whitehat who goes by the pseudonym satya0x, responsibly disclosed a critical bug in the Wormhole core bridge contract on Ethereum. This bug was an upgradeable proxy implementation self-destruct bug that helped prevent a potential lockup of user funds. This particular responsible disclosure is yet another example of the immense strategic value that running a multi-million dollar bug bounty program can have for Web3 security programs.
Wormhole paid satya0x a record bug bounty of $10 million dollars for the find. It’s one thing to create a program with a really high top payout, but Wormhole has proven that they are very serious about paying top-dollar to help mitigate security issues in partnership with the white-hat community.
Wormhole is using a UUPS style proxy, where the upgrade logic resides in the implementation contract. The main difference is that the upgrade is guarded by Guardians that need to produce a multi-sig message stating the upgrade to the new implementation address is authorized. However, the implementation contract found at 0x736d2a394f7810c17b3c6fed017d5bc7d60c077d was uninitialized after a previous bugfix had reverted the original initialization. That means an attacker would be able to pass their own Guardian set and proceed with the upgrade as a Guardian they controlled.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.