it is of vital importance to actually address security issues
Cosmos chain teams sabotage @cosmoshub in order to gain competitive advantage, with the tacit blessing of @interchain_io and its contractors, here’s proof:
two weeks before the incident, they cosmos hub was running IBC v3.0…0 on mainnet >6mos after v3.0.0 was retracted for security issues.
And I told @buchmanster, @JTremback, other members of informal hub team, and the full ibc team about the issue >2wks before the exploit and I cited that the @quicksilverzone launch was at risk.
To my knowledge, this has not ever been reported to police by @interchain_io, and I think that’s unacceptable.
If you think that’s acceptable, that’s your choice, but that means I do not want to work with you, or anywhere near you, so this is my litmus test.
I was asked not to tell anyone by @JTremback and @buchmanster.
I told no one, including quicksilver whose launch I could have saved. No one.
Then it got exploited.
Teams sabotage the hub to gain a competitive advantage , here are the tx details:
delegate address: cosmos13dqvh4qtg4gzczuktgnw8gc2ewnwmhdwnctekxctyr4azz4dcyysecgq7e
tx that shafted us up the bumholio: Mintscan
from this bad boy: Mintscan
received 2 atom from exchange
later sends atoms to cosmos1zl42hd5h9c7z4ej43fhss9nvgm6nuad0uup35h (Mintscan)
and later returns balance to exchange: Mintscan
note
-
This attack was very advanced. It was performed by a highly skilled user of the cosmos software stack.
-
What I’m trying to say is that
- They’re one of us
- They’re likely still around cosmos
-
It is impossible for me to rule out the possibility that they were given information about the vulnerability by icformal, since icformal was the only group I told about this issue, and since icformal never went to police.
-
Icformal never went to police.
-
The attacker also has a testnet account with the same address, where the attack was practiced
-
If ultimately ICF doesn’t take action here, I will take action regardless.
-
I recommend that the community interpret any lack of diligence as an attempt to protect the attacker, as making a police report and proving that it happened is very simple.
-
The exact vulnerable version of IBC that was on the hub at the time was v3.0.0, which used a predetermined, deterministic module account address formed by bech32ing the name of the module.
-
The vulnerability affected ICA, which is really only used by Quicksilver, Stride and Persistence. Their engineering teams would be familiar with the code involved.
-
On the testnet, there are transactions that “practice” the attack. Those transactions target the ica of pstake, but quicksilver was the target on mainnet.
-
For an active cosmos developer, who can read the release notes for IBC (requirements: English, golang, and cosmos) the attack could be easy to perform. Otherwise, you likely cannot figure out how to do it.
tweet
Feel free to speak with me on X or here.
funding
- $2k from Jacob
- $2k from anon
…more if anyone wants to toss it in the bucket to defend the hub.
standards
-
You’re going to need to prove the owner of the exchange account involved in the set of transactions above.
-
You agree to publish any and all findings to the public domain.
motive
- This is for user safety, as well as contributor safety.
- This is to ensure that we show the world what happens when you bad touch the hub, namely:
- This is so I can learn if we are going to be serious from here in or not so much
- Prevent future incidents
- Make cosmos the most intolerant to bad actors when compared to other ecosystems – when all this is done, a potential attacker, no matter their motive, should KNOW IN THEIR SOUL that cosmos is where hackers go to find out, and hopefully choose a different target.