Whitehat who goes by the pseudonym satya0x, responsibly disclosed a critical bug in the Wormhole core bridge contract on Ethereum. This bug was an upgradeable proxy implementation self-destruct bug that helped prevent a potential lockup of user funds. This particular responsible disclosure is yet another example of the immense strategic value that running a multi-million dollar bug bounty program can have for Web3 security programs.

Wormhole paid satya0x a record bug bounty of $10 million dollars for the find. It’s one thing to create a program with a really high top payout, but Wormhole has proven that they are very serious about paying top-dollar to help mitigate security issues in partnership with the white-hat community.

Wormhole is using a UUPS style proxy, where the upgrade logic resides in the implementation contract. The main difference is that the upgrade is guarded by Guardians that need to produce a multi-sig message stating the upgrade to the new implementation address is authorized. However, the implementation contract found at 0x736d2a394f7810c17b3c6fed017d5bc7d60c077d was uninitialized after a previous bugfix had reverted the original initialization. That means an attacker would be able to pass their own Guardian set and proceed with the upgrade as a Guardian they controlled.