Recently, the ibc-go team received a report via Hacker One of a potential security vulnerability impacting IBC connected full nodes. This issue is low-severity in general, and it has a low impact and likelihood of exploitation. Depending on how a full node is architected, this issue could potentially yield a high or critical severity vulnerability.
ALL versions of ibc-go are affected. A patch to remediate this issue will be released on May 25th at 15:00 CET in the following versions:
Note that the patch is NOT state-machine breaking. The patch can be deployed individually by validators and full nodes without a chain-halt upgrade and should be applied as soon as possible. Though many potentially impacted parties have mitigations in place to prevent the issue from introducing vulnerability into their architectures, we highly recommend that full node operators, oracle networks, and bridges prepare to patch their implementations as quickly as possible once the release is available to fully remediate this issue.
oh hey, quick question – in this case, “we” is the ibc-go team?
I am just trying to understand the flow. Currently I have in fact recommended against using H1 at all especially if an item is important.
It’s no reflection on the ibc-go team, by the way-- I believe that the issue has been (and maybe still is?) the org controlling the H1 parent account. IBC-GO crew definitely cannot be blamed for not getting to a report on an issue in Tendermint that happened >18 months ago. Just, since then, I’ve let people know that maybe H1 isn’t the best path, especially for items that carry critical importance.
Thank you for the patch, and for your work in general.
The bounty rewards for Cosmos are absolutely pathetic. cosmos-sdk or ibc-go are used by chains that have a combined TVL of billions of dollars and the reward of finding a critical bug that compromises these billions of dollars is 5k? You should seriously take a look at immunefi to get a sense what protocols pay out in web3 these days.
I’ve made reports there. I’ve seen them go to naught with no response for 18days.
That’s dangerous and I’m just trying to get a clear understanding of the flow and process, so I can assess whether or not it is correct to continue advising people who are reporting issues, that at most, they should be doing H1 plus contacting the relevant team lead.
I really don’t know who is involved in that flow and I know it’s been really bad in the past. The money is kind of whatever, compared to the value of these reports.
Hacker One is the best way to disclose potential vulnerabilities. We monitor it closely for any incoming reports and try to react promptly. Apologies again for poor experience in the past, though. Informal Systems has recently taken a lead on setting up better processes and improve response times, so hopefully you will notice things getting better.
We will also re-evaluate the value of the bounties. Bumping the bounties was on the table a few months ago, but the conversation died a bit, so we will try to pick it up again.
Is there a CVE for this advisory? It would be helpful to have a better understanding of the severity, mechanisms and risks. In paricular, what would turn this from “low severity / low impact” into “high severity / critical”?