IBC had a close call with a critical vulnerability

The vulnerability enabled exploiters to replay a bug that would enable an infinite number of IBC tokens to be redeemed

by Bessie Liu /
article-image

Artwork by Crystal Le

share

A recent blog post by Asymmetric Research revealed there was a critical vulnerability that affected the inter-blockchain communication (IBC) protocol — a standard that enables interaction among individual cosmos chains.

This vulnerability was found specifically in ibc-go, the Golang high-level programming language implementation of the IBC protocol, and affected CosmWasm-based IBC middleware. 

IBC middleware was created to enable the integration of ICS20 with other IBC protocols. Similar to many bridging protocols, the middleware enables packets to be sent from one blockchain to another. These packets are stored as commitments before being properly received and deleted. If they are not received, tokens will be refunded through a timeout functionality. 

Newsletter

Subscribe to Blockworks Daily

Read more: Picasso connects Ethereum to Cosmos IBC

Asymmetric Research found that the flow between the module deleting the commitment control could be replayed, which meant it was possible to replay the bug and exploit an infinite number of IBC tokens. 

Multiple chains were vulnerable to the issue, with Osmosis, one of the largest cross-chain DEXs in the Cosmos ecosystem, being the largest chain that could have been affected. However, due to rate limiting on the chain, the damage the bug could have potentially caused was limited. 

According to Asymmetric Research, the vulnerability has been privately disclosed to the Cosmos HackerOne bug bounty program, and the issue itself has been resolved without any malicious exploitation. 

Read more: Helpful hackers net more than $640k in 1 year with crypto bug bounties

“This issue demonstrates how easy it is to break trust assumptions and introduce new vulnerabilities by adding new features and functionality. It is also another example of the importance of defense-in-depth,” Asymmetric Research wrote in a blog post.

The research noted specifically that Cosmos teams had strong security measures in place that could have saved them from existential risks. 

“A binary patch was released to fix the underlying IBC timeout reentrancy without breaking consensus. Contributors spent much time and effort assessing the security implications of the mentioned issues,” Asymmetric Research wrote.

Get the news in your inbox. Explore Blockworks newsletters:

  • Blockworks Daily: The newsletter that helps thousands of investors understand crypto and the markets, by Byron Gilliam.
  • Empire: Start your morning with the top news and analysis to inform your day in crypto.
  • Forward Guidance: Reporting and analysis on the growing intersection of crypto and macroeconomics, policy and finance.
  • 0xResearch: Alpha directly in your inbox. Market highlights, data, degen trade ideas, governance updates, token performance and more.
  • Lightspeed: Built for Solana investors, developers and community members. The latest from one of crypto’s hottest networks.
  • The Drop: For crypto collectors and traders, covering apps, games, memes and more.
  • Supply Shock: Tracking Bitcoin’s rise from internet plaything worth less than a penny to global phenomenon disrupting money as we know it.
Tags

Upcoming Events

Permissionless IV

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

buy ticketslearn more

Digital Asset Summit 2025

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Research Report Templates.jpg

Research

Evaluating Bluefin’s Precarious Market Position

Bluefin possibly stands at an inflection point. The token is near an all-time low yet the protocol’s spot volume market share and derivatives exchange usage have been increasing month over month since its November launch. Given its current market position and the upcoming upgrades (for both Bluefin and SUI), there may be upside potential before the increased supply growth in December. However, strong opposition from existing competitors (like Cetus and Suilend), as well as new entrants (like Aftermath), pose key challenges to Bluefin’s medium-term success.

by Marc-Thomas Arjoon, CFA

/

news

article-image

AnalysisSupply Shock

How Silk Road carved the fault line that separates ‘bitcoin’ and ‘crypto’

Ross Ulbricht was a freedom maximalist building freedom tech, powered by Bitcoin

by David Canellis&Pete Rizzo /
article-image

DeFiLightspeed Newsletter

Solana startups spin up validators for revenue and ‘soft power’

Solana validators can reap benefits including payments, votes and community clout

by Jack Kubinec /
article-image

Sponsored

WCT’s Role in the Onchain Economy

WalletConnect is cementing itself as the essential connectivity layer, ensuring wallets remain the entry point for billions of users

article-image

Business

Galaxy to pay $200M to New York over alleged LUNA manipulation

According to a legal filing, Galaxy Digital helped boost the price of LUNA while quietly selling its tokens

by Katherine Ross /
article-image

FinanceForward Guidance Newsletter

T. Rowe Price PM touts ‘big potential’ of stablecoins

Tech fund portfolio manager Dominic Rizzo calls stablecoins “the most obvious use case for crypto”

by Ben Strack /
article-image

Forward Guidance NewsletterMarkets

Stablecoins and the bullish institutional outlook: DAS takeaways

Institutional players are energized by huge market shifts, “the scale of which you haven’t even imagined”

by Felix Jauvin /