Bounty: $4000 identify the person or persons who attacked the cosmos hub

it is of vital importance to actually address security issues

Cosmos chain teams sabotage @cosmoshub in order to gain competitive advantage, with the tacit blessing of @interchain_io and its contractors, here’s proof:

two weeks before the incident, they cosmos hub was running IBC v3.0…0 on mainnet >6mos after v3.0.0 was retracted for security issues.

And I told @buchmanster, @JTremback, other members of informal hub team, and the full ibc team about the issue >2wks before the exploit and I cited that the @quicksilverzone launch was at risk.

To my knowledge, this has not ever been reported to police by @interchain_io, and I think that’s unacceptable.

If you think that’s acceptable, that’s your choice, but that means I do not want to work with you, or anywhere near you, so this is my litmus test.

I was asked not to tell anyone by @JTremback and @buchmanster.

I told no one, including quicksilver whose launch I could have saved. No one.

Then it got exploited.

Teams sabotage the hub to gain a competitive advantage , here are the tx details:

delegate address: cosmos13dqvh4qtg4gzczuktgnw8gc2ewnwmhdwnctekxctyr4azz4dcyysecgq7e

tx that shafted us up the bumholio: Mintscan

from this bad boy: Mintscan

received 2 atom from exchange

later sends atoms to cosmos1zl42hd5h9c7z4ej43fhss9nvgm6nuad0uup35h (Mintscan)

and later returns balance to exchange: Mintscan

note

  • This attack was very advanced. It was performed by a highly skilled user of the cosmos software stack.

  • What I’m trying to say is that

    • They’re one of us
    • They’re likely still around cosmos
  • It is impossible for me to rule out the possibility that they were given information about the vulnerability by icformal, since icformal was the only group I told about this issue, and since icformal never went to police.

  • Icformal never went to police.

  • The attacker also has a testnet account with the same address, where the attack was practiced

  • If ultimately ICF doesn’t take action here, I will take action regardless.

  • I recommend that the community interpret any lack of diligence as an attempt to protect the attacker, as making a police report and proving that it happened is very simple.

  • The exact vulnerable version of IBC that was on the hub at the time was v3.0.0, which used a predetermined, deterministic module account address formed by bech32ing the name of the module.

  • The vulnerability affected ICA, which is really only used by Quicksilver, Stride and Persistence. Their engineering teams would be familiar with the code involved.

  • On the testnet, there are transactions that “practice” the attack. Those transactions target the ica of pstake, but quicksilver was the target on mainnet.

  • For an active cosmos developer, who can read the release notes for IBC (requirements: English, golang, and cosmos) the attack could be easy to perform. Otherwise, you likely cannot figure out how to do it.

tweet

Feel free to speak with me on X or here.

funding

  • $2k from Jacob
  • $2k from anon

…more if anyone wants to toss it in the bucket to defend the hub.

standards

  • You’re going to need to prove the owner of the exchange account involved in the set of transactions above.

  • You agree to publish any and all findings to the public domain.

motive

  • This is for user safety, as well as contributor safety.
  • This is to ensure that we show the world what happens when you bad touch the hub, namely:

17368197590232874439100683645496

  • This is so I can learn if we are going to be serious from here in or not so much
  • Prevent future incidents
  • Make cosmos the most intolerant to bad actors when compared to other ecosystems – when all this is done, a potential attacker, no matter their motive, should KNOW IN THEIR SOUL that cosmos is where hackers go to find out, and hopefully choose a different target.

poll

video

Earth shattering update!

3 Likes

Yeah it’s really not normal, except of course in Cosmos, where unfortunately we don’t seem to investigate stuff even though we should.

1 Like

bro, while I hope you find the one who did that, I doubt the aforementioned teams are interested in helping you. after all, the same ppl have been draining funds via juno and other slow rugpull projects for years

1 Like

I got these questions from a friend, answers are mine

  1. What exactly was the vulnerability?

The cosmos hub was using a version of IBC that was deprecated due to dragonberry and using module account names as the basis of module account addresses, deterministically.

  1. How was it exploited?

The module account address could be predicted by hashing the name of the module account. The attacker predicted this, and sent 1uatom into the ica, so when quicksilver connected to the hub, user funds got stuck when users tried to use quicksilver.

  1. What was the financial or operational impact to Quicksilver? Be specific.

It was devastating. Go to market is extremely sensitive, and Cosmos Hub team members referred to this as a Quicksilver issue. It was not. The Hub was simply not maintained, resulting in this issue.

The reality is that Quicksilver is a product that was made for the cosmos Hub. This is why it is increasingly difficult to recommend Cosmos. Apparently, Cosmos teams compete by hacking. Liquid staking in Cosmos was always very competitive.

The transactions mentioned lack clear chronology or linkage to an exploit scenario.

We now have an illustration, but I’ll work out a timeline too. The person who’s working on the bounty has actually discovered a number of new related transactions. Also, there is a weird linkage to sif chain!

IBC v3.0.0’s vulnerability is mentioned, but there’s no clear technical summary of what made it exploitable.

It was only exploitable because the Hub had not been upgraded. If the Hub had been maintained appropriately, the issue would have been fixed 6 months before. That’s why it was exploitable.

A step-by-step breakdown of how the attacker made users lose control of their funds would be helpful, and essential to understand if you want broader community support.

Interchain accounts did not function correctly so the atoms just kind of sat there. I will send the forum post to Joe so he can provide more information.

1 Like