Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Binance Chain IAVL Merkle Tree hack gained from flags on security issues within the Cosmos SDK. As a result, the developers started diving into the code base to look for further issues. From this, they came to two more vulnerabilities: dragonberry and elderberry.

InterBlockchain Communication (IBC) is the protocol used to communicate across blockchains in the Cosmos ecosystem. IBC has a user configurable timeout mechanism that allows for reclaiming funds in the event that a packet is not relayed on time.

The ics23 proposal was all about a binary representation for merkle proofs. The vulnerability appears to be in the original implementation of this proposal. According to the advisory, there was a way to forge the proof. Since this has to do with money, an attacker could have used the bad proof to iteratively train the ICS-20 escrow accounts of every user.

To make this transaction harder to find, they added the entire file with the included changes. Although I couldn't find the actual bug in the implementation being used, looking at old and update.

The second vulnerability was within the AuthZ module. It was found by multiple parties at once independently from the Cosmos team. The Cosmos SDK uses ValidateBasic() to validate that a message is valid. However, the module was missing this check, leading to invalid state transitions being possible. This would have allowed an attacker to manipulate a market in strange ways.

Overall, I wish we had a better picture of this vulnerabilities and how to exploit them. It's super interesting to see these issues come to light all at once within the Cosmos ecosystem though.