Cosmos developers have fixed a "critical" security bug in the inter-block communication (IBC) protocol that put at least $126 million at risk, according to a blockchain security firm that privately alerted Cosmos to the problem.
"We privately disclosed the vulnerability as part of the Cosmos HackerOne Bug Bounty program and the problem has now been patched," Asymmetric Research announced on April 23.
"There was no malicious exploitation or loss of funds," it added.
The bug could have allowed a re-entry attack, enabling a hacker to mint infinite tokens in IBC-connected chains such as Osmosis and other decentralized financial ecosystems in Space.
"We believe that at least 126 million assets may have been stolen on the Osmosis platform. However, limiting the speed of Osmosis slows down the damage that could be caused."
Bandwidth limits serve to prevent or at least mitigate attacks that attempt to overload the system by controlling the speed at which requests are sent.
Asymmetric noted that the bug has been present in ibc-go, a high-level programming language implementation of IBC, since its launch in 2021.
However, the bug only began to be exploitable recently, when Cosmos developers launched a new third-party application called IBC middleware - which allows ICS20 tokens (the inter-chain token standard) to cross chains.
"This issue shows how easy it is to break trust assumptions and introduce new vulnerabilities by adding new features and functionality. It's also another example of the importance of deep defense," Asymmetric stressed.
