Terra Money IBC Hook Reentrancy Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Terra Money Logo/Homepage

The Terra blockchain is a hard fork of the original Terra Luna blockchain which crashed due to a failure of the algorithmic stablecoin UST. An emergency patch was issued for a critical reentrancy vulnerability in April to all blockchains which are part of the Cosmos ecosystem. Unfortunately, Terra did not upgrade their protocol to apply the patch. It was exploited to take millions of dollars worth of assets. Some assets have been recaptured so far.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]

About Terra Money

"Terra is a blockchain protocol and payment platform used for algorithmic stablecoins. The project was created in 2018 by Terraform Labs, a startup co-founded by Do Kwon and Daniel Shin. It was best known for its Terra stablecoin and the associated LUNA reserve asset cryptocurrency."

"Terra hosts a vibrant ecosystem of diverse products and services. Create a Station wallet to start exploring and interacting with an array of ecosystem applications. With Pulsar Finance, the leading Web3 portfolio tracker, you can effortlessly monitor all your tokens, DeFi positions, and NFTs across Terra and over 100 other blockchains."

"Fueled by the passionate #LUNAtic community and deep developer talent pool, the Terra blockchain is built to enable the next generation of Web3 products and services. Build crypto's next killer app using Terra's suite of developer tools and resources."

"Terra was hard forked from the Terra Classic network following a major financial collapse in 2022, which was triggered by its algorithmic stablecoin, UST, losing its supposed peg to the US dollar."

The Reality

"The vulnerability was identified a few months ago and patched across the Cosmos ecosystem in April. However, a later upgrade in June on Terra failed to include this patch, leading to renewed exposure and the subsequent exploit, Zaki Manian, co-founder of Sommelier Protocol, explained."

"This bug was known as the IBC reentrancy infinite mint bug, and all Cosmos chains issued an emergency patch to remediate this issue."

"In April 2024 theIBC-Go library issued an emergency patch for the reentrancy bug. The affected version that is relevant to Terra is < 7.4.0. Terra was utilizing a custom version of IBC-Go 7.3.1 at the time of the attack (github.com/terra-money/ibc-go/v7 v7.3.1-terra.0) that was vulnerable to the exploit."

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Terra Money IBC Hook Reentrancy Vulnerability
Date Event Description
April 5th, 2024 6:21:00 AM MDT Reentrancy Article Published "ASA-2024-007: Potential Reentrancy using Timeout Callbacks in ibc-hooks" is published which outlines the exploit.
July 30th, 2024 6:18:35 AM MDT Funds Bridged In The attacker starts to bring in funds from Ethereum to their wallet.
July 30th, 2024 5:09:11 PM MDT First Exploit Transfer The first transfer of Ethereum funds from the exploit, which are bridged in through Uniswap.
July 30th, 2024 7:39:23 PM MDT Final Exploit Transfer The final swap related to the exploit transactions.
July 30th, 2024 10:06:00 PM MDT Terra Pause Announced Terra announces a pause in the blockchain starting shortly at block #11,430,400.
July 30th, 2024 10:17:05 PM MDT Terra Blockchain Paused The terra blockchain is paused to deal with the vulnerability.
July 31st, 2024 12:20:06 AM MDT The Block Article The Block publishes an article on this incident.
July 31st, 2024 1:23:00 AM MDT Beosin Tweet Posted Beosin posts a tweet about the reentrancy vulnerability which was exploited.
July 31st, 2024 1:31:00 AM MDT Cyvers Tweet Cyvers tweets about the exploit further.
July 31st, 2024 1:40:00 AM MDT Terra Blockchain Resumed The Terra blockchain announces that it's been resumed.

Technical Details

"In April 2024 theIBC-Go library issued an emergency patch for the reentrancy bug. The affected version that is relevant to Terra is < 7.4.0. Terra was utilizing a custom version of IBC-Go 7.3.1 at the time of the attack (github.com/terra-money/ibc-go/v7 v7.3.1-terra.0) that was vulnerable to the exploit."

"According to Zaki Manian, co-founder of Sommelier Finance, although the vulnerability was patched in the Cosmos ecosystem back in April, Terra did not include this patch in their June upgrade, resulting in the vulnerability being re-exposed and exploited."

"Terra blockchain experienced a security breach that led to the theft of tokens. The attackers exploited a known vulnerability related to the third-party module IBC hooks, stealing the value of cross-chain assets, including USDC stablecoins and Astroport tokens. The Terra team has taken emergency measures to prevent further losses and coordinated with validators to apply a patch to fix the vulnerability."

"“There was a vulnerability in IBC hooks discovered by Composable Finance in April. It was patched across Cosmos. Terra was patched then,” Manian told The Block. “It appears that Terra's June upgrade did not include the patch. All the Axelar USDC bridged to Terra was stolen using the IBC hooks exploit. A large amount of ASTRO was also stolen.""

Total Amount Lost

The total amount lost has been estimated at $5,280,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"Attention Terra users: Please be advised that the chain will be halted shortly at block height 11430400 and transactions will not be processed during this time.

We will be working with the validators on Terra (phoenix-1) to apply an emergency patch thereafter to remediate a suspected exploit."

Ultimate Outcome

"The Terra chain has resumed block production at approximately 4:19 AM UTC today and the emergency chain upgrade is now complete.

Transactions are now being processed, and users may resume normal activities.

Validators holding over 67% of the voting power on Terra have upgraded their nodes to prevent the exploit from recurring. More validators are expected to upgrade soon."

"After these events, both the Terra and Astroport teams took swift action to lessen the impact of the attack. The Terra team upgraded the IBC-Go version appropriately and also introduced a new blacklist antehandler. This will effectively add a step to the transaction pre-processing to see if the transaction signer is on a list of blacklisted addresses, and if so, it will block the transaction. It is important to note that this blacklist only has one address, and it is the ibc-exploiter’s terra address that is holding around $650,000 USD in stolen funds, mainly consisting of 20,000,000 ASTRO. These funds are now locked and are out of circulation.

The Astroport team was able to seize the ASTRO in the attacker's Neutron wallet because ASTRO recently migrated from a cw20 Terra token to a tokenfactory denom on Neutron. This gives the token admin unique privileges to recover the funds. This was accomplished through a force transfer from the attacker's Neutron wallet. It should be noted that this action was only possible on the origin chain of the Astro token (Neutron in this case) and would not have been possible if the token versions were wrapped."

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Aug 8, 2024)
  2. https://www.theblock.co/post/308440/attacker-exploits-ibc-hooks-vulnerability-to-steal-tokens-on-terra-blockchain (Accessed Aug 12, 2024)
  3. Terra (Accessed Aug 12, 2024)
  4. Terra (blockchain) - Wikipedia (Accessed Aug 12, 2024)
  5. @terra_money Twitter (Accessed Aug 6, 2024)
  6. Terra hit by $6 million loss as attacker exploits vulnerability known since April (Accessed Aug 6, 2024)
  7. @BeosinAlert Twitter (Accessed Aug 6, 2024)
  8. Terra Blockchain Restarts After Reentrancy Attack Leads to $4M Exploit (Accessed Aug 12, 2024)
  9. @terra_money Twitter (Accessed Aug 12, 2024)
  10. Terra Blockchain Restarts After $4M Exploit | Currency News | Financial and Business News | Markets Insider (Accessed Aug 12, 2024)
  11. Terra Blockchain Hack: $6.8 Million Stolen, ASTRO Plummets 60% (Accessed Aug 12, 2024)
  12. Terra IBC Hooks Exploit Analysis - Range Security (Accessed Aug 12, 2024)
  13. ASA-2024-007: Potential Reentrancy using Timeout Callbacks in ibc-hooks · Advisory · cosmos/ibc-go · GitHub (Accessed Aug 6, 2024)
  14. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 12, 2024)
  15. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 12, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Terra_Money_IBC_Hook_Reentrancy_Vulnerability&oldid=6169"