Cosmos IBC 协议漏洞已修复，避免了潜在的 1.26 亿美元损失

Cosmos 开发人员解决了区块链间通信 (IBC) 协议中的一个关键安全漏洞，保护了至少 1.26 亿美元免遭潜在盗窃。区块链安全公司 Asymmetry Research 发现了该漏洞，并通过 HackerOne Bug Bounty 计划通知了 Cosmos。该漏洞自 2021 年 IBC 推出以来就存在，允许在 IBC 连接的链上无限铸造代币。然而，Osmosis（一种流行的与 IBC 连接的去中心化金融生态系统）实施的利率限制减轻了潜在的损害。 Cosmos 在三周内解决了该问题，展示了多链生态系统中深度防御和持续安全研究的重要性。

Cosmos IBC Protocol Bug Patched, Preventing Potential $126 Million Loss

Cosmos IBC 协议错误已修复，避免了潜在的 1.26 亿美元损失

A critical security vulnerability in the Inter-Blockchain Communication (IBC) protocol of the Cosmos blockchain platform has been addressed, mitigating a potential loss of up to $126 million. The issue was privately reported to Cosmos by blockchain security firm Asymmetric Research, which played a pivotal role in safeguarding the network.

Cosmos 区块链平台的区块链间通信 (IBC) 协议中的一个关键安全漏洞已得到解决，最多可减少 1.26 亿美元的潜在损失。区块链安全公司 Asymmetry Research 私下向 Cosmos 报告了该问题，该公司在保护网络方面发挥了关键作用。

In a statement released on April 23, Asymmetric Research confirmed the vulnerability's existence and its subsequent resolution: "We privately disclosed the vulnerability through the Cosmos HackerOne Bug Bounty program and the issue is now patched."

在 4 月 23 日发布的一份声明中，Asymmetry Research 确认了该漏洞的存在及其随后的解决方案：“我们通过 Cosmos HackerOne Bug Bounty 计划私下披露了该漏洞，该问题现已得到修补。”

According to Asymmetric Research, the bug allowed for a reentrancy attack, potentially enabling malicious actors to mint an infinite number of tokens on IBC-connected chains, such as Osmosis and other decentralized finance (DeFi) platforms built on Cosmos. "We believe at least 126M+ in assets could have been stolen on Osmosis," the firm stated.

根据 Asymmetry Research 的说法，该漏洞允许重入攻击，可能使恶意行为者能够在 IBC 连接的链上铸造无限数量的代币，例如 Osmosis 和基于 Cosmos 构建的其他去中心化金融 (DeFi) 平台。该公司表示：“我们相信，Osmosis 上至少有超过 1.26 亿资产可能被盗。”

However, Asymmetric Research emphasized that due to rate limiting mechanisms in place on Osmosis, the damage that could have been caused was mitigated. Rate limits are employed to control the rate at which requests are made, preventing or minimizing the impact of attacks that attempt to overwhelm a system.

然而，不对称研究强调，由于渗透率限制机制，可能造成的损害得到了减轻。速率限制用于控制发出请求的速率，防止或最大限度地减少试图淹没系统的攻击的影响。

The vulnerability had persisted in the ibc-go implementation of IBC since its launch in 2021. It became exploitable only recently, following the introduction of a new third-party application known as IBC middleware, which facilitates the transfer of ICS20 (interchain token standard) tokens across different chains.

自 2021 年推出以来，该漏洞一直存在于 IBC 的 ibc-go 实现中。直到最近，在引入了名为 IBC 中间件的新第三方应用程序（该中间件可促进 ICS20（链间代币标准）的传输）后，该漏洞才开始被利用。跨不同链的代币。

Asymmetric Research underscored the critical need for ongoing research into cross-chain security risks to enhance the protection of the multichain ecosystem: "This issue demonstrates how easy it is to break trust assumptions and introduce new vulnerabilities by adding new features and functionality. It is also another example of the importance of defense-in-depth."

非对称研究强调了持续研究跨链安全风险以加强对多链生态系统的保护的迫切需要：“这个问题表明，通过添加新特性和功能来打破信任假设并引入新漏洞是多么容易。这是纵深防御重要性的另一个例子。”

The bug was resolved approximately three weeks ago by Cosmos developer Carlos Rodriguez, as indicated by a GitHub commit. This incident marks the second "critical" security vulnerability identified in the IBC protocol within the past year, further highlighting the importance of vigilance in blockchain security.

正如 GitHub 提交所示，该错误大约三周前由 Cosmos 开发人员 Carlos Rodriguez 解决。此次事件标志着IBC协议在过去一年内发现的第二个“严重”安全漏洞，进一步凸显了区块链安全警惕的重要性。