A “critical” security flaw in the Inter-Blockchain Communication (IBC) protocol of Cosmos has been swiftly addressed by developers, averting a potential risk of at least $126 million, according to a blockchain security firm that discreetly notified Cosmos of the issue.
Asymmetric Research, the firm behind the discovery, disclosed on April 23 that the vulnerability was promptly patched through the Cosmos HackerOne Bug Bounty program. Fortunately, no malicious exploitation occurred, and no funds were compromised.
New blog post: Cosmos IBC Reentrancy Infinite Mint. A critical reentrancy bug in ibc-go could have enabled the infinite mint of IBC tokens on Cosmos chains.https://t.co/ybeLpiUqTU
— asymmetric research (@asymmetric_re) April 23, 2024
The flaw had the potential for a reentrancy attack, enabling a hacker to generate infinite tokens on IBC-connected chains like Osmosis and other DeFi ecosystems within Cosmos.
Asymmetric estimated that over $126 million in assets on Osmosis could have been pilfered. Rate limiting measures on Osmosis helped mitigate the potential damage.
“We found several chains vulnerable to this issue, but Osmosis was the largest in TVL. We believe at least 126M+ in assets could have been stolen on Osmosis. However, rate limiting on Osmosis slows down the damage that could be caused.”
This vulnerability, residing in ibc-go, the programming language implementation of IBC, had been present since its 2021 launch. It became exploitable only recently following the deployment of IBC middleware, a third-party application facilitating the cross-chain movement of tokens adhering to the ICS20 interchain token standard.
In the conclusion, Asymmetric emphasized:
“This issue demonstrates how easy it is to break trust assumptions and introduce new vulnerabilities by adding new features and functionality. It is also another example of the importance of defense-in-depth.”
The timely resolution of this issue by Cosmos developer Carlos Rodríguez, as evidenced by a GitHub commit around three weeks ago, highlights the proactive stance of the Cosmos team in addressing critical security concerns.
This isn’t the first time Cosmos has faced such challenges; a previous “critical” security vulnerability identified in October 2022 was swiftly patched before any potential exploitation, underscoring the ongoing commitment to safeguarding the integrity of the multichain ecosystem.