A security company called Asymmetric Research revealed information about a weakness in the Cosmos blockchain network’s Wormhole interoperability protocol, which, if exploited, might have endangered over $150 million worth of assets.

The “reentrancy vulnerability,” which Asymmetric privately reported as their own discovery, was brought to the attention of the Cosmos development team by them. This issue was allegedly resolved prior to any potential misuse.

“The vulnerability we discovered was reported quietly through the Cosmos HackerOne Bug Bounty platform, and it has since been fixed. Fortunately, no one took advantage of it maliciously, and no funds were affected as a result.”

Jessy Irwin, the CEO of Amulet who oversees the Interchain Foundation’s bug bounty program and manages security across the Cosmos network, acknowledged in an email that the problem had been reported to them. An alert notice regarding this issue has since been made public.

A Cosmos first

The Cosmos network is made up of multiple interconnected blockchains, all utilizing common code and essential components. While this bug didn’t lead to any financial losses, it represented a first in discovering a reentrancy vulnerability within the system – an unexpected finding that has raised concerns about the previously unquestioned security and reliability of the Cosmos blockchain platform.

The Inter-Blockchain Communication Protocol (IBC) is a crucial part of many Cosmos blockchains, enabling seamless communication between different blockchains and facilitating the transfer of assets between them. A weakness was recently uncovered by Asymmetric in ibc-go, a popular version of IBC employed by several Cosmos chains.

During the process of addressing this matter, teams from Amulet and IBC-go conducted separate assessments to find potential parties affected by it and lessen the impact. (Irwin’s statement paraphrased)

An attacker could potentially have created an unlimited number of tokens on interoperable blockchains such as Osmosis, part of the large Decentralized Finance (DeFi) network on Cosmos, due to a vulnerability known as a reentrancy bug. This type of issue allows malicious actors to exploit certain transaction sequences and manipulate the system.

Although the weakness in ibc-go had been present since its inception, it wasn’t exploitable until the emergence of new features in the Cosmos SDK community, specifically the development of “IBC middleware” – custom applications constructed using CosmWasm, a smart contract runtime based on WebAssembly. This innovation enabled tokens to be transferred between blockchains.

“The discovery of this vulnerability underscores the importance of conducting additional research on cross-chain security risks to enhance the security of the interconnected blockchain network,” remarked Jonathan Claudius, CEO of Asymmetric and previous security lead at Jump Crypto. “This incident showcases our expertise and commitment to identifying and addressing potential dangers that may jeopardize the digital economy.”

Read More

2024-04-23 16:26