Cosmos developers have successfully resolved a significant security flaw in their Inter-Blockchain Communication (IBC) protocol, which posed a risk of over $126 million. This discovery was made by blockchain security firm Asymmetric Research, who privately notified Cosmos about the issue. Asymmetric Research reported that they disclosed the vulnerability through the Cosmos HackerOne Bug Bounty program, and the problem has now been fixed. Fortunately, no malicious exploitation occurred, and no funds were lost.
The bug had the potential to enable a reentrancy attack, allowing hackers to create infinite tokens on IBC-connected chains like Osmosis and other decentralized finance ecosystems on Cosmos. Rate limits are put in place to prevent or minimize attacks that overload a system by controlling the rate of requests made.
Asymmetric Research highlighted that this bug has been present in ibc-go, a high-level programming language implementation of IBC, since its launch in 2021. However, it only became exploitable recently after Cosmos developers introduced a new third-party application called IBC middleware, which facilitates the transfer of ICS20 tokens across different chains.
The security firm emphasized the ease with which trust assumptions can be compromised and new vulnerabilities can be introduced when implementing new features and functionalities. They stressed the importance of a defense-in-depth approach to security.
According to a GitHub commit, the bug was fixed by Cosmos developer Carlos Rodriguez approximately three weeks ago. In October 2022, another critical security vulnerability was discovered in the IBC protocol, which affected all IBC-connected chains. However, it was patched before any potential exploitation occurred.
Source:
Asymmetric Research
Related:
Cosmos Hub approves ATOM inflation reduction for enhanced security
Magazine:
Are DAOs overhyped and unworkable? Lessons from the front lines