Reentrancy Bug Almost Cost Cosmos $150 Million

Reading Time: 2 minutes
  • Asymmetric Research has prevented a potential $150 million loss by identifying and disclosing a critical reentrancy vulnerability in the Cosmos ecosystem
  • The flaw was swiftly addressed by the Cosmos development team before any exploitation could occur
  • This marks the first instance of such vulnerability for Cosmos, which has remained exploit-free since its 2019 launch

Blockchain security company Asymmetric Research has claimed that it prevented a potential $150 million loss by identifying a critical bug in the Cosmos ecosystem. The flaw, identified as a “reentrancy vulnerability,” was disclosed to the Cosmos development team and swiftly addressed before any exploitation could occur. The revelation is the first of its kind for Cosmos, which has remained exploit-free since its 2019 launch.

Reentrancy Attacks a Real Concern

A reentrancy vulnerability occurs when an application or smart contract can be interrupted and re-entered before the initial execution is completed. This can allow an attacker to repeatedly re-enter the code and potentially exploit the system to gain unauthorized access or manipulate data.

Aave’s Earning Farm was compromised through a reentrancy attack last August, which saw over $280,000 siphoned from the platform although. For obvious reasons, full details of the Cosmos flaw have not been released, but Jessy Irwin, CEO of Amulet, responsible for coordinating security efforts across the Cosmos ecosystem, confirmed the vulnerability and advised chain operators to “immediately upgrade to the latest patch fix version.”

New Development Unearthed Flaw

Asymmetric Research published a blog post regarding its discovery, noting that “While this vulnerability has existed in [Cosmos] since the beginning, it only became exploitable due to recent developments in the Cosmos SDK ecosystem.” The development in question was the advent of “IBC middleware,” third-party applications that allow tokens to be used across blockchains.

Asymmetric CEO Jonathan Claudius said that the vulnerability “highlights the critical need for more research into cross-chain security risks to protect the multichain ecosystem better” and added that the case demonstrated its “capability and ongoing efforts to discover and neutralize existential threats that could undermine the digital economy.”