Members of the core Cosmos and Osmosis teams have been extensively auditing IBC in the aftermath of the BSC exploit. We have discovered a critical security vulnerability that impacts all IBC-enabled Cosmos chains, for all versions of IBC.
Steps have already been taken to ensure that all major public IBC-enabled chains have been patched. Given the severity, we have been working tirelessly with core development teams and validators across the ecosystem to make the patch available privately and ensure chains are patched before communicating publicly.
Members of the Informal Systems, Interchain GmbH, and Osmosis teams have been coordinating with a majority of the chains in the interchain. If you lead development of a Cosmos blockchain project that has not been patched, please reach out immediately to firstname.lastname@example.org.
A chain is safe from the critical vulnerability as soon as ⅓ of its voting power has applied the patch. Chains should still seek to patch to ⅔ as quickly as possible once the official patch is released.
A public version of the patch will be released in the CosmosSDK v0.45.9 within 24hrs at 14:00 UTC on Friday, October 14, 2022. It is highly advised that all chains and validators upgrade to the new released patch immediately, even if they have already patched privately.
The patch can be deployed individually by validators without a chain-halt upgrade and should be applied as soon as possible. That said, it is still possible that validators and/or chains will halt during the upgrade process. If this happens, please contact email@example.com immediately.
We will continue to audit the codebase and to organize additional third party audits. If you find a vulnerability, please disclose it responsibly via our bug bounty program: HackerOne
This notice has been posted in accordance with the Cosmos vulnerability disclosure policy.