Cosmos patches ‘critical’ IBC protocol bug saving $126M

A significant security issue was identified and addressed by the Cosmos team in their Inter-Blockchain Communication (IBC) protocol. This vulnerability, as reported by a confidential source from the blockchain security industry, potentially exposed up to $126 million worth of assets to potential risk.

“The vulnerability we discovered was reported exclusively to Cosmos’ HackerOne Bug Bounty platform, and it has since been fixed.” – Asymmetric Research (April 23)

“No malicious exploitation took place and no funds were lost,” it added.

A reentrancy attack through the bug was potentially exploitable, enabling a malicious actor to produce an unlimited number of tokens on interconnected IBC chains such as Osmosis and other decentralized finance platforms in the Cosmos network.

“We believe at least 126M+ in assets could have been stolen on Osmosis. However, rate limiting on Osmosis slows down the damage that could be caused.”

Rate limits help protect systems from being overloaded by excessive requests by setting a limit on the number of requests that can be made within a given time frame. This way, potential attackers are denied the ability to flood the system with too many requests at once.

Since its launch in 2021, Ibc-go, the high-level programming language implementation of IBC by Asymmetric, has had a persistent bug.

A bug in Cosmos emerged more recently that could be exploited, but this became possible following the launch of a new external program, IBC middleware, developed by the Cosmos team. This software enables ICS20 tokens to move between different blockchains.

Adding new features and functionality to a system can make it vulnerable, as this situation illustrates. It’s yet another reminder of how crucial it is to have multiple layers of security in place, a concept known as defense-in-depth. Asymmetric stressed this point.

“This vulnerability highlights the critical need for more research into cross-chain security risks to protect the multichain ecosystem better.”

The bug was patched up by Cosmos dev Carlos Rodriguez about three weeks ago, a GitHub commit shows.

In October 2022, a significant security issue was discovered in the IBC (Inter-Blockchain Communication) protocol. This flaw affected every blockchain that utilized IBC and could have led to potential exploits if left unaddressed. Fortunately, a fix was implemented before any harm could be caused.

Read More

2024-04-24 05:06