Patched Cosmos Bug Could've Put $150M At Risk, Says Firm That Reported It

Asymmetric Research, a security firm that contributes to the Wormhole interoperability protocol, disclosed details of a vulnerability impacting the Cosmos blockchain ecosystem that it says could have put more than $150 million at risk.

Asymmetric privately disclosed the bug – a "reentrancy vulnerability" – to the Cosmos development team and says it was addressed before anyone had the opportunity to exploit it.

"We privately disclosed the vulnerability through the Cosmos HackerOne Bug Bounty program and the issue is now patched," Asymmetric said in a statement. "No malicious exploitation took place and no funds were lost."

Jessy Irwin, CEO of Amulet, which is engaged by the Interchain Foundation to run the bug bounty program and coordinate security across the Cosmos ecosystem, confirmed in an email that the issue was reported, and that an advisory note had been released on the matter.

A Cosmos first

The Cosmos ecosystem is a community of blockchains that share some code and core modules. Although the bug didn't result in the loss of funds, it was significant in that it marked the first time a reentrancy vulnerability has been discovered for the ecosystem – widely considered to be one of the most trustworthy and secure blockchain technology platforms.

A primary component of most Cosmos chains is the Inter-Blockchain Communication Protocol, or IBC – a technology that allows blockchains to easily communicate with one another and send assets back and forth. The vulnerability Asymmetric discovered was in ibc-go, a reference implementation of IBC used by a number of Cosmos chains.

"During the coordination of this issue, both Amulet and the IBC-go team engaged in independent rounds of risk-based impact assessment to identify potentially impacted parties to mitigate its impact," according to Irwin.

The vulnerability, a type of reentrancy bug, would've theoretically allowed an attacker to mint infinite tokens on IBC-connected chains like Osmosis, which hosts one of the largest decentralized finance (DeFi) ecosystems on Cosmos.

"While this vulnerability has existed in ibc-go since the beginning, it only became exploitable due to recent developments in the Cosmos SDK ecosystem," Asymmetric said in a blog post published Tuesday. The vulnerability was unlocked with the advent of "IBC middleware" – third-party applications built using CosmWasm, a WebAssembly-based smart contract runtime, that allows tokens to be used across blockchains.

"This vulnerability highlights the critical need for more research into cross-chain security risks to protect the multichain ecosystem better," said Asymmetric CEO Jonathan Claudius, formerly the security chief at venture firm Jump Crypto. "This case demonstrates our capability and ongoing efforts to discover and neutralize existential threats that could undermine the digital economy."