Cosmos patches ‘critical’ IBC protocol bug, saving $126 million

According to Asymmetric Research, the flaw has always been in IBC, but it has just lately become exploitable owing to changes in the protocol’s code base.According to a blockchain security firm that privately contacted Cosmos about the issue, Cosmos developers have patched a “critical” security flaw in its Inter-Blockchain Communication (IBC) protocol.

According to Asymmetric Research, the vulnerability was disclosed privately through Cosmos HackerOne Bug Bounty, and the issue has now been patched. “No malicious exploitation took place and no funds were lost,” the statement said.

The issue could have enabled a reentrancy attack, allowing a hacker to create limitless tokens on IBC-connected chains such as Osmosis and other decentralized finance ecosystems on Cosmos.

“We estimate at least $126 million in assets may have been taken on Osmosis. However, decreasing the rate of osmosis reduces the potential damage.” Rate limitations restrict the rate at which requests are issued, preventing or mitigating assaults that aim to overwhelm a system.

Asymmetric reported that the flaw has existed in IBC-go, a high-level programming language implementation of IBC, since its debut in 2021. The flaw was only recently exploitable after Cosmos developers released a new third-party program called IBC middleware, which allows ICS20 (interchain token standard) tokens to traverse chains.

“This problem highlights how simple it is to undermine trust assumptions and introduce new vulnerabilities by introducing new features and capabilities. It is also an example of the value of defense-in-depth,” Asymmetric said.

“This vulnerability highlights the critical need for more research into cross-chain security risks to protect the multichain ecosystem better.” Cosmos developer Carlos Rodriguez corrected the flaw roughly three weeks ago, according to a GitHub commit. Another “critical” security flaw in the IBC protocol was discovered in October 2022, affecting all IBC-connected chains but being patched before any conceivable exploit.

Buy and sell crypto in minutes with 0.20% trading fees at Bitdenex Exchange.