A crucial security issue in the Cosmos Inter-Blockchain Communication (IBC) protocol, which potentially exposed over $126 million, has been addressed through a fix by the Cosmos development team.
Prior to public knowledge, Asymmetric Research shared information about a weakness affecting Cosmos’ infrastructure. They mentioned that this issue had already been addressed with a patch, preventing potential misuse.
Critical Security Bug
Based on Asymmetic Research’s findings, the Inter Blockchain Protocol contained an inherent flaw since its inception. However, it wasn’t until advancements were made to the protocol’s codebase that this bug became exploitable. Once Cosmos became aware of the problem, they promptly issued a patch to prevent anyone from taking advantage of the vulnerability. In a recent blog post, Asymmetric Research disclosed this information.
An attacker could have taken advantage of a reentrancy flaw in the processing of timeout messages on certain Cosmos chains, potentially allowing them to produce an endless supply of IBC tokens. This vulnerability was present in IBC-go since its inception but became exploitable due to advancements within the Cosmos SDK community, particularly the adoption of CosmWasm-based IBC interfaces. We reported this issue through the Cosmos HackerOne Bug Bounty program, and a fix has been implemented. No attacks occurred, and no funds were affected.
Jessy Irwin, the CEO of Amulet who manages the Interchain Foundation’s bug bounty program and ensures security in the Cosmos ecosystem, acknowledged receiving a report about the issue.
During the process of addressing this matter, Amulet and the IBC-go team conducted separate evaluations, focusing on potential risks and identifying parties who might be affected, with the goal of minimizing any negative impact.
Over $126 Million Were At Risk
Based on Asymmetric Research’s findings, there was a possibility of a reentrancy bug in the code. If exploited, this issue could have enabled hackers to generate an infinite number of tokens on interconnected blockchain networks like Osmosis and other decentralized finance platforms within the Cosmos ecosystem.
Based on our estimation, over 126 million dollars’ worth of assets may have been taken from Osmosis. Yet, the implementation of rate limiting on this platform helps mitigate potential harm.
Rate limits help protect systems from being overloaded by unwanted requests by setting a limit on the number of requests that can be made within a given time frame. In the case of Cosmos and its IBC-middleware application, this feature became crucial when developers discovered a vulnerability in the system allowing Interchain token standard tokens to move between chains. Asymmetric explained in their blog post that this issue made it possible for attackers to exploit the system, emphasizing the importance of rate limiting as a protective measure.
“This situation shows how simple it is to shatter trust and create new weaknesses by introducing new features or functions. It serves as another reminder of the significance of multiple layers of defense. This vulnerability underscores the urgent need for further exploration into cross-chain security threats, in order to safeguard the multichain network more effectively.”
Based on the perspective of Asymmetric CEO Jonathan Claudius, this issue underscores the importance of conducting further investigations into potential security risks associated with cross-chains, enhancing the overall protection of the interconnected blockchain network.
“This discovery underscores the importance of conducting additional research on cross-chain security risks, in order to safeguard the multichain system more effectively. This incident showcases our ability and commitment to identifying and mitigating significant threats that could potentially jeopardize the digital economy.”
Read More
Sorry. No data so far.
2024-04-24 12:09