Cosmos developers have addressed a "critical" security flaw in their inter-blockchain communication (IBC) protocol, which was flagged by a blockchain security firm, Asymmetry Research. The vulnerability posed a significant risk, potentially putting over $126 million in assets in jeopardy. Asymmetry Research disclosed the issue privately to Cosmos through the platform's HackerOne Bug Bounty program, leading to prompt action to rectify the flaw.
On April 23, Asymmetry Research confirmed that the vulnerability had been resolved following its private disclosure. It assured that no malicious exploitation had taken place and no funds were lost as a result of the flaw. The identified vulnerability had the potential to enable reentrancy attacks, allowing malicious actors to exploit IBC-connected chains like Osmosis and other decentralized finance ecosystems on Cosmos to mint unlimited tokens.
While the security flaw was identified and reported, Asymmetry Research estimated that approximately $126 million worth of assets were potentially at risk on Osmosis. However, measures such as rate limiting were implemented to impede any further damage that could be inflicted by exploiting the vulnerability. Rate limiting is a mechanism used to regulate the rate at which requests are processed, thereby mitigating the impact of potential attacks.
Asymmetry Research highlighted that the vulnerability had persisted in ibc-go, the high-level programming language implementation of IBC, since its inception in 2021. However, it became exploitable only recently with the introduction of a new third-party application called IBC Middleware. This application facilitated the cross-chain transfer of tokens adhering to the ICS20 Interchain Token Standard.
The incident underscored the inherent risks associated with adding new features and capabilities to blockchain protocols, as it could inadvertently introduce vulnerabilities. Asymmetry Research emphasized the importance of adopting a defense-in-depth approach to strengthen the security posture of multi-chain ecosystems. The timely resolution of the vulnerability by Cosmos developer Carlos Rodríguez, as evident from GitHub commits, reflected the proactive response to mitigate potential risks to the network's security.
