Cosmos Fixes IBC Bug, Saves $126M

Cosmos recently faced a potential security flaw in its ecosystem that could have allowed hackers to generate tokens on IBC chains.

The issue could have enabled a reentrancy attack, allowing a hacker to manufacture an unlimited number of tokens on IBC-connected chains such as Osmosis and other decentralized finance ecosystems on Cosmos.

Cosmos Addresses Hacking Issue

At the very least, rate limits serve to reduce assaults that aim to overwhelm a system by regulating the pace at which requests are issued. Rate limitations serve to prevent, or at least moderate, such attacks.

Asymmetric pointed out that the flaw has been present in ibc-go, which is an implementation of IBC that is a high-level programming language, ever since it was first released in 2021.

The issue, on the other hand, did not become exploitable until just recently when the developers of Cosmos released a new third-party application known as IBC middleware.

“We believe at least 126M+ in assets could have been stolen on Osmosis. However, rate limiting on Osmosis slows down the damage that could be caused.”

This application enables ICS20 tokens, the interchain token standard, to navigate across chains.”This issue demonstrates how simple it is to break trust assumptions and introduce new vulnerabilities by adding new features and functionality,” the author writes.

“This vulnerability highlights the critical need for more research into cross-chain security risks to protect the multichain ecosystem better.”

In addition to that, it is yet another illustration of the significance of defense-in-depth,” Asymmetric stressed. It has been approximately three weeks since the bug was fixed by Carlos Rodriguez, a developer for Cosmos, according to a commit on GitHub.

In October 2022, a further “critical” security weakness was discovered in the IBC protocol. This vulnerability potentially affected all chains that were connected to the IBC, but it was patched before any potential exploit could be carried out.