The bug posed a risk of a reentrancy attack, potentially allowing unauthorized token minting across IBC-connected chains.
No funds were lost due to the prompt action taken, preventing exploitation of the vulnerability by malicious actors.
Cosmos developers recently addressed a severe security flaw in their Inter-Blockchain Communication (IBC) protocol, successfully averting a potential theft of approximately $126 million. This vulnerability in the IBC protocol, integral to Cosmos’ functionality for enabling transactions across different blockchains, was reported by the blockchain security firm Asymmetric Research.
On April 23, Asymmetric Research announced that they had confidentially reported the flaw through the Cosmos HackerOne Bug Bounty program, leading to a swift resolution. “No malicious exploitation took place and no funds were lost,” the firm assured, indicating effective preventive action.
The nature of the bug could have permitted a reentrancy attack, which involves a hacker making recursive calls to a function in a smart contract, potentially allowing them to mint unlimited tokens on networks linked through the IBC, such as Osmosis and various decentralized finance platforms operating on Cosmos.
Asymmetric Research explained that the flaw had been present in the ibc-go, the high-level programming language used for implementing IBC since its inception in 2021. The vulnerability became a threat with the introduction of new third-party application software called IBC middleware.
This software expanded the IBC’s capabilities by enabling tokens adhering to the ICS20 interchain token standard to be transferred across different chains, inadvertently increasing the risk of exploits.
“This incident underlines the fragile nature of trust assumptions in blockchain networks and the potential risks introduced by new features,” Asymmetric stated, emphasizing the importance of thorough security measures and the need for ongoing research into cross-chain security to safeguard the interconnected blockchain environment.
By utilizing IBC hooks, CosmWasm contract calls can be initiated from the Acknowledgement and Timeout handlers. This allows entry into CosmWasm via IBC hooks. Subsequently, CosmWasm can generate submessages to execute arbitrary Cosmos messages, creating a recursive call scenario. This vulnerability could potentially lead to a multi-spend scenario, posing a significant risk to the security of the Cosmos network.
The exploitation process begins with deploying a smart contract that complies with IBC hooks callback for timeouts. Then, IBC tokens are sent back to the native chain with an expired timeout. Malicious relayers intercept the transfer, facilitating the preparation and execution of messages for a single CosmWasm execute() call.
These messages, such as MsgUpdateClient and MsgTimeout, are stored in the smart contract for future reentrant calls.
Following execution, the process entails the successful completion of MsgUpdateClient and MsgTimeout messages. This is followed by triggering MsgTimeout again via another submessage in the CosmWasm contract. This sequence repeats until all funds for a given token are stolen or the desired amount of IBC tokens are minted.
The bug was rectified by Cosmos developer Carlos Rodríguez approximately three weeks ago, as indicated by a GitHub commit. This proactive approach reflects Cosmos’ commitment to security and the efficacy of their response systems.
This incident was not the first time a critical vulnerability was discovered in the IBC protocol; another serious issue was identified and fixed in October 2022 before it could be exploited.
Together, these incidents highlight the ongoing challenges and essential vigilance required to secure complex blockchain ecosystems like Cosmos.
⚠️Disclaimer
This content aims to enrich readers with information. Always conduct independent research and use discretionary funds before investing. All buying, selling, and crypto asset investment activities are the responsibility of the reader.
