Patched Cosmos Bug Could've Put $150M At Risk, Says Firm That Reported It

The reentrancy bug was discovered by Asymmetric Research, a core contributor to the Wormhole interoperability protocol.

AccessTimeIconApr 23, 2024 at 1:00 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

Asymmetric Research, a security firm that contributes to the Wormhole interoperability protocol, disclosed details of a vulnerability impacting the Cosmos blockchain ecosystem that it says could have put more than $150 million at risk.

Asymmetric privately disclosed the bug – a "reentrancy vulnerability" – to the Cosmos development team and says it was addressed before anyone had the opportunity to exploit it.

"We privately disclosed the vulnerability through the Cosmos HackerOne Bug Bounty program and the issue is now patched," Asymmetric said in a statement. "No malicious exploitation took place and no funds were lost."

Jessy Irwin, CEO of Amulet, which is engaged by the Interchain Foundation to run the bug bounty program and coordinate security across the Cosmos ecosystem, confirmed in an email that the issue was reported, and that an advisory note had been released on the matter.

A Cosmos first

The Cosmos ecosystem is a community of blockchains that share some code and core modules. Although the bug didn't result in the loss of funds, it was significant in that it marked the first time a reentrancy vulnerability has been discovered for the ecosystem – widely considered to be one of the most trustworthy and secure blockchain technology platforms.

A primary component of most Cosmos chains is the Inter-Blockchain Communication Protocol, or IBC – a technology that allows blockchains to easily communicate with one another and send assets back and forth. The vulnerability Asymmetric discovered was in ibc-go, a reference implementation of IBC used by a number of Cosmos chains.

"During the coordination of this issue, both Amulet and the IBC-go team engaged in independent rounds of risk-based impact assessment to identify potentially impacted parties to mitigate its impact," according to Irwin.

The vulnerability, a type of reentrancy bug, would've theoretically allowed an attacker to mint infinite tokens on IBC-connected chains like Osmosis, which hosts one of the largest decentralized finance (DeFi) ecosystems on Cosmos.

"While this vulnerability has existed in ibc-go since the beginning, it only became exploitable due to recent developments in the Cosmos SDK ecosystem," Asymmetric said in a blog post published Tuesday. The vulnerability was unlocked with the advent of "IBC middleware" – third-party applications built using CosmWasm, a WebAssembly-based smart contract runtime, that allows tokens to be used across blockchains.

"This vulnerability highlights the critical need for more research into cross-chain security risks to protect the multichain ecosystem better," said Asymmetric CEO Jonathan Claudius, formerly the security chief at venture firm Jump Crypto. "This case demonstrates our capability and ongoing efforts to discover and neutralize existential threats that could undermine the digital economy."


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Sam Kessler

Sam is CoinDesk's deputy managing editor for tech and protocols. He reports on decentralized technology, infrastructure and governance. He owns ETH and BTC.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.