IBC had a close call with a critical vulnerability

The vulnerability enabled exploiters to replay a bug that would enable an infinite number of IBC tokens to be redeemed

by Bessie Liu /
article-image

Artwork by Crystal Le

share

A recent blog post by Asymmetric Research revealed there was a critical vulnerability that affected the inter-blockchain communication (IBC) protocol — a standard that enables interaction among individual cosmos chains.

This vulnerability was found specifically in ibc-go, the Golang high-level programming language implementation of the IBC protocol, and affected CosmWasm-based IBC middleware. 

IBC middleware was created to enable the integration of ICS20 with other IBC protocols. Similar to many bridging protocols, the middleware enables packets to be sent from one blockchain to another. These packets are stored as commitments before being properly received and deleted. If they are not received, tokens will be refunded through a timeout functionality. 

Read more: Picasso connects Ethereum to Cosmos IBC

Asymmetric Research found that the flow between the module deleting the commitment control could be replayed, which meant it was possible to replay the bug and exploit an infinite number of IBC tokens. 

Multiple chains were vulnerable to the issue, with Osmosis, one of the largest cross-chain DEXs in the Cosmos ecosystem, being the largest chain that could have been affected. However, due to rate limiting on the chain, the damage the bug could have potentially caused was limited. 

According to Asymmetric Research, the vulnerability has been privately disclosed to the Cosmos HackerOne bug bounty program, and the issue itself has been resolved without any malicious exploitation. 

Read more: Helpful hackers net more than $640k in 1 year with crypto bug bounties

“This issue demonstrates how easy it is to break trust assumptions and introduce new vulnerabilities by adding new features and functionality. It is also another example of the importance of defense-in-depth,” Asymmetric Research wrote in a blog post.

The research noted specifically that Cosmos teams had strong security measures in place that could have saved them from existential risks. 

“A binary patch was released to fix the underlying IBC timeout reentrancy without breaking consensus. Contributors spent much time and effort assessing the security implications of the mentioned issues,” Asymmetric Research wrote.

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Upcoming Events

Digital Asset Summit 2025

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Research

by Research Team

news

article-image

Policy

Federal judge denies Ripple, SEC motion for indicative ruling

Judge Analisa Torres said the parties have not demonstrated that vacating her prior ruling is in the best interest of the public

by Casey Wagner /
article-image

Empire NewsletterOpinion

Why Kalshi’s new $2B valuation makes sense

Prediction markets have found a mainstream fit

by Katherine Ross /
article-image

The Breakdown

Permissionless IV, Day 2 takeaways

Money for enemies isn’t fun, but crypto can be

by Byron Gilliam /
article-image

Lightspeed NewsletterMarkets

Risk-on in Solana, even as ceasefire cools tensions

Onchain SOL perps wiped $31 million, outpacing CEX volumes two days in a row

by Jeff Albus /
article-image

Forward Guidance NewsletterPolicy

Powell says Fed will continue to monitor inflation before cutting rates

Fed Chair Jerome Powell told Senators Wednesday that the timeline on lowering interest rates is up in the air

by Casey Wagner /
article-image

FinanceForward Guidance Newsletter

Newly tokenized Janus Henderson CLO strategy sees $1B inflow

Credit infrastructure DeFi protocol Grove makes allocation into a CLO segment “ripe for movement into DeFi”

by Ben Strack /