Last week, the BNB Smart Chain found itself in the midst of the turmoil. Indeed, the BSC Token Hub was the target of a major attack. In total, the equivalent of 500 million dollars was stolen. Unfortunately, this flaw is not unique to the BNB Smart Chain. It also seems to affect the Cosmos IBC.
Hack on the NBB Smart Chain
On October 7th, Binance’s BNB Chain found itself in a more than delicate situation. Around midnight French time, the BNB Smart Chain was paused. This situation follows the identification of irregularities on the blockchain.
Quickly, the thesis of the attack is explored. Thus, an account was quickly identified for having managed to obtain 2 million BNB in what appears to be a hack.
Finally, Changpeng CZ Zhao put an end to the speculation two hours after the rumors began.
“An attack on an inter-channel bridge, BSC Token Hub, resulted in the detour of BNB. We have asked all validators to temporarily suspend BSC. The problem is now under control. Your funds are safe […] The current estimate of the loss is approximately US$100 million equivalent, about a quarter of BNB’s last burn.”
News that was later confirmed by the findings of several crypto-investigators. Indeed, the latter revealed that there was a flaw in the verification of evidence on the BSC Token Hub.
“In short, there was a bug in the way the Binance bridge verified proofs, which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker only forged two messages, but the damage could have been much worse.”
In the end, Binance teams were able to recover 400 of the 500 million stolen.
Cosmos IBC: the real cause of the attack?
Afterwards, many Internet users wondered about the possible link between this flaw and the Cosmos IBC.
Indeed, the Binance blockchain ecosystem is composed of two blockchains:
- BNB Beacon chain: which provides governance for the BNB Smart Chain;
- BNB Smart Chain: blockchain compatible with the Ethereum Virtual Machine.
Except that in practice, the BNB Beacon Chain was launched using the Cosmos SDK and therefore falls into the Cosmos chain category.
Unfortunately, the Internet users who considered a link between the hack and IBC were perfectly right.
Thus, following the attack, Cosmos and Osmosis teams have extensively audited the code of the IBC (Inter Blockchain Communication) protocol allowing cross-chain communication.
Finally, on October 13, they revealed that they had detected a critical vulnerability in the IBC code. Consequently, this flaw impacts all Cosmos blockchains that have activated the IBC.
“We have discovered a critical security vulnerability that affects all IBC-enabled Cosmos chains, for all versions of IBC. Steps have already been taken to ensure that all major public IBC-enabled chains have been patched.”
While the major blockchains using IBC have been patched, the Cosmos teams urge developers of chains that have not been updated to use the CosmosSDK v0.46.3 patch.
At this time, no specific details about the discovered critical flaw have been disclosed. These details should be revealed in the coming weeks, once it does not put entire ecosystems at risk.
For its part, the BNB Smart Chain has deployed the Moran hard fork to mitigate the flaw. This includes a fix for the vulnerability as well as several additions to prevent such an event from happening again.