Cosmos’ $8B ecosystem threatened by critical vulnerability

by Arthur · October 14, 2022

Cosmos’ B ecosystem threatened by critical vulnerability

Table of Contents

Important takeaways

A critical security vulnerability threatened all IBC-enabled blockchains, Cosmos developers recently discovered.
The attack vector was discovered after last week’s BNB Chain exploit.
An update has already been communicated privately to Cosmos developers and validators.

Last week’s BNB Chain attack led Cosmos developers to inspect their IBC code. They found a critical security vulnerability that put any IBC-enabled blockchain at risk.

Cosmos compromised

It appears that the entire Cosmos ecosystem was threatened by a single vulnerability.

According to an announcement posted today in the Cosmos Hub governance forum by co-founder Ethan Buchman, lead developers recently discovered a “critical security vulnerability affecting all IBC-enabled Cosmos chains, for all versions of IBC.”

Cosmos is a decentralized network of blockchains connected through the Inter-Blockchain Communication Protocol (IBC), which enables users to jump from one Cosmos blockchain to another seamlessly. At the time of writing there is 42 IBC enabled blockchains, including Cosmos Hub, Osmosis, Cronos and Evmos. According to the project’s website, the combined market value of all IBC-enabled chains reaches $8.18 billion.

Other major blockchains such as OKX Chain, Luna Classic and Thorchain have also integrated IBC in the past. However, for various reasons they have either disabled the feature or never fully enabled it in the first place. BNB Chain is one of these projects. The recent attack against it (where a hacker drained $566 million from the blockchain’s bridge) encouraged Cosmos developers to investigate whether other IBC blockchains might be vulnerable to the same exploit.

Buchman stated that steps had already been taken to patch large IBC blockchains. The patch was first made available privately to give developers and validators time to update their chains before the vulnerability went public. According to him, more than a third of a blockchain’s voting power must use a patch for the project to be secure. The Cosmos SDK will release a public version of the update on October 14 at 14:00 UTC. Buchman advised all Cosmos chains and validators to upgrade to the public update as soon as possible, even if they had already integrated the private update.

Disclosure: At the time of writing, the author of this piece owned BTC, ETH, ATOM, OSMO and several other cryptocurrencies.

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representations or warranties as to the timeliness, completeness or accuracy of information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not provide personal investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may be out of date, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update outdated, incomplete or inaccurate information.

You should never make an investment decision about an ICO, IEO or other investment based on the information on this website, and you should never interpret or otherwise rely on the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice about an ICO, IEO or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sale, securities or commodity.

See full terms and conditions.