On Oct. 13, Ethan Buchman, co-founder of interblockchain communication (IBC) ecosystem Cosmos, said that a “critical security vulnerability” had been discovered that “impacts all IBC-enabled Cosmos chains, for all versions of IBC.” Buchman assured that steps have already been taken to ensure that all major public IBC-enabled chains have been patched, stating:
“A chain is safe from the critical vulnerability as soon as ⅓ of its voting power has applied the patch. Chains should still seek to patch to ⅔ as quickly as possible once the official patch is released.”
A public version of the patch will be released in the Cosmos SDK (software development kit) v0.45.9 and v0.46.3 tomorrow at 14:00 UTC. Buchman recommends that all chains and validators apply it immediately upon release and that chain-halting is not required for it to take effect.
The issue appears to have come to light after core developers of Cosmos and Osmosis (the leading decentralized exchange on Cosmos) ramped up security audits in light of a $100 million cross-chain bridge exploit on BNB Chain on Oct. 6.
Cross-chain bridges solve a variety of problems in decentralized finance by allowing users to port digital assets across multiple protocols. However, they tend to be more complex than regular decentralized applications, and if the source code is copy-and-pasted across protocols, the vulnerability can be amplified dramatically.
Nevertheless, the vast majority of cross-chain bridge hacks this year, such as the Ronin and Nomad bridge exploits, have occurred on Ethereum Virtual Machine blockchains. On the contrary, security breaches on chains in Cosmos’ IBC ecosystem have been few and far between. There are currently about 45 blockchains built using the Cosmos SDK.