Trail of Bits
Audit Open Original ↗

Wormhole Governors and Watchers

Type

Security review

Client

Wormhole Foundation

Date

2023-03

Domain

Blockchain

Effort

8 wks

Section

Other/Multi-Chain

Trail of Bits's security review of Wormhole Foundation (Mar 2023) identified 17 issues: 4 low, 10 informational, and 3 undetermined.

Findings · 17

  1. 1 Lack of doc comments Informational
  2. 2 Fields protected by mutex are not documented Informational
  3. 3 Potential nil pointer dereference in reloadPendingTransfer Low
  4. 4 Unchecked type assertion in queryCoinGecko Low
  5. 5 Governor relies on a single external source of truth for asset prices Informational
  6. 6 Potential resource leak Informational
  7. 7 PolygonConnector does not properly use channels Undetermined
  8. 8 Receiver closes channel, contradicting Golang guidance Undetermined
  9. 9 Watcher configuration is overly complex Informational
  10. 10 evm.Watcher.Run’s default behavior could hide bugs Informational
  11. 11 Race condition in TestBlockPoller Informational
  12. 12 Unconventional test structure Informational
  13. 13 Vulnerable Go packages Undetermined
  14. 14 Wormhole node does not build with latest Go version Informational
  15. 15 Missing or wrong context Low
  16. 16 Use of defer in a loop Low
  17. 17 Finalizer is allowed to be nil Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related