Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Wormhole is the largest cross-chain bridge. As such, it connects with many, many different blockchains and programming languages.

In Aptos, public(friend) functions are practically internal functions that cannot be called by the outside world. In particular, they can only be called by the same module or functions within the friend list.

The function publish_event is for a Wormhole smart contract emitting an event that triggers offchain code, such as a relayer, to process it. Unfortunately, when you add a modifier (code that runs before or after a function) to it, the public(friend) is now callable by anyone.

As a consequence, anybody can publish a token transfer event on the Aptos blockchain. Overall, a fairly simple bug in a weird contract ecosystem.

The amount at risk was at 5M because of the Global Accountant mechanism. Additionally, there is a limit on the amount of funds that can be taken out in a given week depending on previous usage. I find these defense in depth protections amazing! We need more things like this to prevent hacks from stealing billions.