- Cosmos developers have fixed a critical security bug in its Inter-Blockchain Communication (IBC) protocol that put at least $126 million at risk.
- The bug, which existed since IBC’s launch in 2021, could have allowed a reentrancy attack to mint infinite tokens on IBC-connected chains like Osmosis and other decentralized finance ecosystems on Cosmos.
- The vulnerability was privately disclosed to Cosmos through its HackerOne Bug Bounty program by blockchain security firm Asymmetric Research, and it has now been patched without any malicious exploitation or loss of funds.
The Inter-Blockchain Communication (IBC) protocol had a major vulnerability that could have been exploited to steal funds. Thanks to responsible disclosure and quick patching by the Cosmos team, disaster was averted.
What Happened
Blockchain security firm Asymmetric Research privately disclosed a critical bug in Cosmos’ IBC protocol. The vulnerability could have enabled reentrancy attacks, allowing hackers to mint unlimited tokens on IBC-connected chains.
Asymmetric estimated at least $126 million in assets on the Osmosis DEX were at risk. Rate limiting on Osmosis would have slowed down an attack, but the vulnerability still posed a serious threat.
The IBC bug has existed since the protocol launched in 2021. It only recently became exploitable after new IBC middleware enabled ICS20 tokens to cross chains. This demonstrates how new features can introduce security flaws.
The Aftermath
No funds were lost or stolen. Cosmos developer Carlos Rodriguez patched the vulnerability about three weeks ago after private disclosure. This quick response protected IBC-connected chains like Osmosis.
This is the second critical IBC bug found in recent months. The protocol’s cross-chain nature warrants further security research to protect the multichain future. Responsible disclosure and patching remains key.
Looking Ahead
While avoided this time, the incident highlights threats in an increasingly complex crypto ecosystem. Projects must emphasize defense-in-depth to ensure systemic security as innovations continue.
The IBC bug fix proves responsive patching protects users. But unknown flaws likely still lurk. Diligence by security researchers paired with swift action by developers will be essential as DeFi expands across chains.
