Cosmos developers have successfully resolved a significant security flaw in their Inter-Blockchain Communication (IBC) protocol, thanks to the efforts of a blockchain security firm. The bug, which was privately reported to Cosmos through the HackerOne Bug Bounty program, had the potential to put over $126 million at risk. However, Asymmetric Research, the security firm responsible for the discovery, confirmed that no malicious exploitation occurred and no funds were lost.
The bug in question could have enabled a reentrancy attack, allowing hackers to generate an unlimited number of tokens on IBC-connected chains, including Osmosis and other decentralized finance ecosystems on Cosmos. To safeguard against such attacks, rate limits are employed to control the rate at which requests are made, thereby preventing or minimizing overwhelming the system.
Asymmetric Research highlighted that the bug had been present in ibc-go, a high-level programming language implementation of IBC, since its launch in 2021. However, it only became exploitable recently, following the introduction of a third-party application called IBC middleware. This middleware facilitates the transfer of tokens using the ICS20 interchain token standard across different chains.
The security firm emphasized the importance of caution when introducing new features and functionality, as they can inadvertently create trust issues and introduce vulnerabilities. They stressed the significance of employing a defense-in-depth approach to cybersecurity.
The bug was successfully patched by Cosmos developer Carlos Rodríguez approximately three weeks ago, as evident from a GitHub commit. In October 2022, another critical security vulnerability was identified in the IBC protocol, affecting all IBC-connected chains. Fortunately, this vulnerability was promptly addressed before any potential exploitation could occur.
In a related context, there is ongoing discussion surrounding the hype and feasibility of Decentralized Autonomous Organizations (DAOs), with valuable lessons being learned from real-world experiences.