On July 30th, 2024, Terra (Phoenix chain) experienced a catastrophic breach due to a reentrancy vulnerability linked to IBC hooks. The attack resulted in the loss of approximately $6.4 million, which included 60M $ASTRO, 3.5M $USDC, 500K $USDT, and 2.7 $BTC.
The vulnerability was known and patched in April 2024 but was accidentally reintroduced in a June upgrade. This incident highlights serious gaps in security practices and the impact of regulatory actions.
Terra chain had been halted for emergency upgrades, and steps are being taken to address the issue and prevent future exploits.
We've audited top DApps and DeFi protocols, ensuring they remain secure and Free from Hacks. Check out their audit reports to see our impact.
The exploit began with the instantiation of a malicious CosmWasm contract on the Terra blockchain. , followed by an IBC transfer that timed out. The contract was instantiated from Code ID 3114 in transactions such as 11426889
and 11426885
. This sequence of events allowed the attacker to initiate the exploit.
The vulnerability exploited was related to IBC hooks and involved reentrancy. By executing a malicious CosmWasm contract via IBC interactions, the attacker could recursively execute the same MsgTimeout inside the IBC hook for the OnTimeout callback before the packet commitment was deleted. This allowed for the siphoning of funds.
Specifically, transactions like 11426330
show the transfer of 300,000 axlUSDC from the attacker's Terra address to an Axelar address. The IBC protocol includes mechanisms for acknowledging and updating clients across chains, which the attacker used to their advantage.
The attacker executed IBC transfer transactions followed by inducing IBC channel timeouts (as seen in transactions 11427203
, 11427189
, 11427186
, 11427185
, etc.). This timeout allowed the malicious contract to reenter and execute unintended additional transactions.
The attacker executed multiple contract interactions that manipulated the IBC channel's state to reenter the contract execution process. This reentrancy allowed the attacker to siphon funds by exploiting the timeout mechanism.
For example, in transaction 11427207
, the attacker successfully transferred 112,000 axlUSDC from their Terra address to an Axelar address.
The attacker utilized the Astroport Router contract to perform swaps, converting stolen USDC to other tokens like LUNA and WBTC. Transaction 11426257
illustrates the swap of 100,000 axlUSDC for 0.001342 WBTC.
The attacker continued to execute large IBC transfers to move stolen funds off the Terra chain. Notable transactions include 11427207
for 112,000 axlUSDC and multiple smaller transactions like 11427194
, 11427186
, and 11427155
, each transferring thousands of axlUSDC.
The attacker managed to siphon approximately 60M $ASTRO, 3.5M $USDC, 500K $USDT, and 2.7 $BTC into an account. The stolen funds were then swiftly transferred out via IBC.
The exploit on the Terra chain was fundamentally due to the reintroduction of a previously patched reentrancy vulnerability associated with Inter-Blockchain Communication (IBC) hooks.
In April 2024, critical patches were applied to address this specific vulnerability in the ibc-go
library, which is essential for handling cross-chain transactions securely. However, during a system upgrade in June 2024, Terra inadvertently reintroduced an outdated internal fork of ibc-go
version 7.3.x. This version was missing these critical patches and did not incorporate the fixes necessary to prevent such vulnerabilities.
The outdated fork, which was not aligned with the more recent and secure versions (>7.4.1), contained the old, flawed codebase. This oversight meant that while Terra's system was updated in some areas, it was not fully protected against the known reentrancy attack vector. This reintroduced vulnerability allowed attackers to exploit the IBC hooks, leading to the significant exploit on July 30th, 2024.
Following the attack, Terra chain was halted for emergency upgrades to prevent further exploitation and to address the vulnerability.
Later on the issue was fixed and the chain was resumed.
Terra's team, along with Astroport contributors and Cosmos builders, worked on identifying and mitigating the issue. The primary focus was on upgrading to the latest patched version of ibc-go and ensuring no further vulnerabilities were present.
The oversight that led to the reintroduction of the vulnerability raises serious questions about security practices, especially in light of regulatory actions against Terraform Labs (TFL) by the SEC. The SEC's actions, while aimed at protecting investors, may have inadvertently contributed to the oversight by reducing the capacity of the Terra team.
Astroport took significant steps to mitigate the damage and recover the stolen assets: The attackers' $ASTRO on Neutron were seized and are being held in the Astroport Treasury. The attackers' Terra address was blacklisted from making any transactions. The IBC Hook vulnerability was patched to prevent further exploitation.
The attacker stole a total of approximately 58 million ASTRO tokens, with around 33 million ASTRO bridged to Neutron.
Approximately 13 million ASTRO were swapped for 124,000 axlUSDC and sent to an Ethereum address. Approximately 20 million ASTRO tokens remaining on Terra were blacklisted and cannot be moved.
The incident highlighted the importance of heeding security warnings. Jacob Gadikian, a former prominent figure in the Cosmos ecosystem, had flagged the vulnerabilities but was largely ignored. His experience underscores the need for better security communication and response mechanisms within the ecosystem.
Ensuring that all patches are properly applied and verified is crucial. Regular audits and automated checks can help prevent the reintroduction of known vulnerabilities. Leveraging both AI-powered and manual audits from QuillAudits can significantly enhance security measures, providing thorough and continuous assessments to detect and address potential vulnerabilities promptly.
Ready to secure your smart contracts? Take the first step towards a safer blockchain journey. Request an Audit with QuillAudits today & ensure your contracts are robust and secure!
The ecosystem needs better mechanisms for reporting and responding to security warnings. Ensuring that warnings from community members and developers are taken seriously can help prevent future exploits.
Implementing advanced security practices, such as the Circuit Breaker module in the Cosmos SDK, can help mitigate the impact of future vulnerabilities. Regular security drills and updates are necessary to stay ahead of potential threats.
Get Pure Alpha Straight to Your Inbox. Miss this, and you’re missing out.
Insider Secrets - Delivered Right to You. Subscribe now.