Developers of the Cosmos blockchain have addressed a serious security flaw in their Inter-Blockchain Communication (IBC) protocol, potentially putting $126 million in digital assets at risk, according to a report from a blockchain security firm.

The leak, which was privately reported by Assymetric Research through the Cosmos HackerOne Bug Bounty program, has now been fixed.

Vulnerability could lead to re-entrancy attack

The security firm confirmed on April 23 that the vulnerability could lead to a so-called re-entrancy attack, where a hacker could generate infinite tokens on IBC-connected blockchains such as Osmosis and other decentralized financial ecosystems within Cosmos. Asymetric Research stated: “We believe at least $126 million in assets could have been stolen on Osmosis, but the speed limits likely prevented worse.”

Rate limits are technical measures intended to limit the number of requests that can be processed per unit of time, thereby minimizing damage from cyber attacks.

Error existed since launch of ibc-go

According to the report, the flaw had existed since the launch of ibc-go, the programming language implementation of IBC, in 2021. The problem only came to light after the recent implementation of new software called IBC middleware, which allows the crossing of ICS20 (interchain) tokens token standard) between chains.

“This incident underlines how easy it is to violate security assumptions and introduce new vulnerabilities with the addition of new features,” pointed out ADSL, another security organization. “It also highlights the importance of defense in depth and the need for more research into the security risks of cross-chain technologies.”

The bug was fixed about three weeks ago by Cosmos developer Carlos Rodriguez, as shown in a GitHub commit. A previous ‘critical’ security issue within the same IBC protocol was identified in October 2022 but was also patched before it could be exploited.


Leave a Reply

Your email address will not be published. Required fields are marked *