According to Blockworks, a recent investigation by Asymmetric Research uncovered a critical vulnerability in the inter-blockchain communication (IBC) protocol. This standard facilitates interaction among individual cosmos chains. The vulnerability was specifically found in ibc-go, the Golang high-level programming language implementation of the IBC protocol, and it affected CosmWasm-based IBC middleware. The middleware, similar to many bridging protocols, allows packets to be sent from one blockchain to another. These packets are stored as commitments before being properly received and deleted. If not received, tokens are refunded through a timeout functionality.
Asymmetric Research discovered that the flow between the module deleting the commitment control could be replayed. This meant it was possible to exploit the bug and generate an infinite number of IBC tokens. Multiple chains were vulnerable to this issue, including Osmosis, one of the largest cross-chain DEXs in the Cosmos ecosystem. However, the potential damage was limited due to rate limiting on the chain.
The vulnerability has been privately disclosed to the Cosmos HackerOne bug bounty program and has been resolved without any malicious exploitation. Asymmetric Research emphasized the ease with which trust assumptions can be broken and new vulnerabilities introduced by adding new features and functionality. They also highlighted the importance of defense-in-depth and commended the Cosmos teams for their strong security measures that could have saved them from existential risks. A binary patch was released to fix the underlying IBC timeout reentrancy without breaking consensus. Contributors spent much time and effort assessing the security implications of the mentioned issues.