Developers at Cosmos have addressed a “critical” security flaw in their Inter-Blockchain Communication (IBC) protocol, potentially safeguarding over $126 million in assets that were at risk, according to a blockchain security firm.
Asymmetric Research, the security firm, privately notified Cosmos of the vulnerability through the Cosmos HackerOne Bug Bounty program. Cosmos developers promptly patched the issue after receiving the disclosure, ensuring that no malicious exploitation occurred and no funds were lost.
The security flaw could have facilitated a reentrancy attack, enabling a hacker to generate infinite tokens on IBC-connected chains like Osmosis and other decentralized finance ecosystems on the Cosmos network. However, rate limiting measures on Osmosis helped mitigate the potential damage.
The bug had been present in ibc-go, a high-level programming language implementation of IBC, since its launch in 2021. It became exploitable only recently after the introduction of IBC middleware, a third-party application facilitating the transfer of ICS20 tokens across chains.
Asymmetric emphasized the significance of robust security measures and defense-in-depth strategies, particularly in multi-chain ecosystems. They stressed the need for further research into cross-chain security risks to enhance the protection of the multichain environment.
Cosmos developer Carlos Rodriguez patched the vulnerability approximately three weeks ago, as indicated by a GitHub commit. This incident follows a previous “critical” security vulnerability identified in the IBC protocol in October 2022, which was successfully patched before any potential exploitation across IBC-connected chains.
Get $200 Free Bitcoins every hour! No Deposit No Credit Card required. Sign Up