A researcher and ethical hacking specialist got a historic $10 million payment after reporting a critical vulnerability in Wormhole, Ethereum’s central bridge contract. Wormhole is a decentralized protocol that enables interoperability between blockchain structures such as Ethereum, Terra and Binance Smart Chain (BSC).
The report, by a researcher known simply as ‘Satya0x’, details that the exploitation of this flaw could have allowed malicious hackers to demand a ransom with the threat of blocking access to the protocol, which would have left all stored funds unusable.
In his proof of concept (PoC), published on GitHub, the researcher notes that more than $730 million in virtual assets resided in the Wormhole contract at the time of testing. In response, Wormhole approved the maximum payment set in its vulnerability rewards program.
The vulnerability was described as an updateable proxy implementation self-destruct bug, and was validated and fixed in late February only a few hours after the researcher submitted his report.
Apparently, this error exists due to an implementation for a Universal Upgradeable Proxy Standard (UUPS) proxy, which was not initialized after a previous fix reversed the original initialization. The threat actors could have passed their own Guardian set and proceeded with the update as a Guardian under their control.
Subsequently, malicious hackers could force an update attempt with submitContractUpgrade(), causing a DELEGATECALL to a malicious address; at this stage, attackers could execute a SELFDESTRUCT code to permanently delete the deployment contract.
Satya0x was pleased with their