Cosmos Patches Critical Security Bug to Safeguard $126M in Assets

Cosmos devs were able to fix a serious security issue in the Inter-Blockchain Communication (IBC) protocol that endangered more than $126 million in assets.

Security and fraud continue to weigh on the shoulders of the crypto industry. Some of the more recent incidents include the successful patching of a critical vulnerability in the Cosmos IBC protocol by its developers, which prevented potential losses of more than $126 million. However, the rise of Sybil attacks is still a major threat, with scammers exploiting popular airdrops and creating fake accounts to manipulate blockchain networks and mislead legitimate users. Kaspersky also reported a sophisticated scam targeting Telegram users by deceiving them into buying worthless "boosters" in a fake earning program related to the TON blockchain.

Cosmos Dev Team Successfully Resolves Major Security Flaw

According to Asymmetric Research, Cosmos developers were able to successfully rectify a serious security flaw in the Inter-Blockchain Communication (IBC) protocol that put more than $126 million in assets at risk. The security firm identified and privately reported the vulnerability through the Cosmos HackerOne Bug Bounty program.

The flaw has been present since the IBC's implementation in 2021 through ibc-go, and has become a major risk after the introduction of IBC middleware. This new feature, which is intended to facilitate the cross-chain transfer of ICS20 tokens, inadvertently made it possible for hackers to execute a reentrancy attack. This will allow the attackers to mint unlimited amounts of tokens on networks like Osmosis and other Cosmos-based decentralized finance ecosystems.

Fortunately, the bug was taken care of before any malicious activities could happen, with Asymmetric Research confirming that no funds were compromised. They believe that while the potential for damage was serious, especially on platforms like Osmosis where more than $126 million could have been at risk, built-in rate limits helped mitigate the possible impact. These limits are crucial in preventing overwhelming attacks by controlling the rate of requests to the system.

Father-Son Team Recovers $6 Million in Lost Crypto

If people do not act as fast as Cosmos did and funds get stolen or lost, most people will assume that their crypto is lost forever. One father and son believe all hope is not lost. In New Hampshire, Chris and Charles Brooks are bringing hope to cryptocurrency users who have lost access to their wallets. Through their business, Crypto Asset Recovery, they have successfully reclaimed more than $6 million in lost crypto assets.

About 70% of their clients want help after losing their Bitcoin wallet passwords, often without having any seed word backups. These seed word backups are a recovery method that started getting widely adopted after 2015. For these older or backup-lacking wallets, Chris Brooks also explained that they often use brute-force software to guess the lost passwords. This method has apparently proven quite effective when considering their success rate of recovering access in about 45% of these cases.

Additionally, the Brooks have helped out in more unique recovery scenarios, like helping a collector of Casascius coins—a physical form of Bitcoin storage—retrieve a lost key after part of the coin’s protective film was damaged, obscuring several characters of the private key.

Beyond password recovery, the duo has ventured into scam tracking. They analyze transaction hashes to trace stolen funds to scammers' wallets, often ending up at exchanges. Although they compile detailed reports for law enforcement, Charles Brooks is realistic about the chances of recovering funds lost to scams, as positive outcomes to these cases are rare and heavily reliant on legal intervention.

Sybil Attacks on the Rise

Despite the efforts of do-gooders like the Brooks, the crypto industry is still actively being targeted by scammers and exploiters. In fact, the crypto industry is currently facing a major challenge with the rise of Sybil attacks.

These attacks have become a lot more prevalent as airdrops have grown increasingly lucrative, tempting users to manipulate systems to gain tokens. For example, the Degen memecoin project on the Farcaster protocol recently banned around 2,000 users for suspected "farming" through coordinated posting and artificial engagement, undermining the integrity of their airdrop event.

Similarly, Bitget Wallet has taken steps against users using emulators and cloud phones to artificially inflate referral points and downloads in pursuit of BWB token rewards. Despite these efforts, Bitget Wallet acknowledges that it can be very difficult to precisely point out dishonest participants without penalizing the honest users. For now, they have limited point deductions to the top 50 suspected abusers in an attempt to keep things fair.

The issue also surfaced in other crypto projects, like the Ethereum layer-2 protocol Starknet, where developer Banteg discovered more than 1,800 accounts involved in manipulative practices during their airdrop event. Even with these revelations, the problematic accounts were still included in the airdrop, which temporarily raised Starknet's valuation to over $20 billion.

Gamic HQ's report reveals that Sybil attacks often involve scripts or bots that automate account creation and task completion, skewing token distribution and potentially damaging the project's reputation and market stability. However, the report also acknowledged that these challenges are pushing blockchain projects to develop more sophisticated user verification and fair distribution methods. Depending on how you look at it, this ongoing battle against Sybil attacks could be contributing to a more robust and secure blockchain ecosystem.

What is a Sybil Attack?

A Sybil attack is a malicious strategy used to compromise a network by creating numerous fake accounts or nodes. This type of attack is seen in various online and on-chain networks, aiming to manipulate the system for the attacker's benefit. Examples include fraudulent activities in online voting systems, spreading misinformation or malicious links on social media, and overpowering legitimate nodes in a blockchain network. The integrity of these systems is crucial as they are often designed to ensure that once actions, like transactions or votes, are recorded, they are irreversible and trustworthy.

In the context of public blockchains, Sybil attacks threaten to disrupt the blockchain's finality—the principle that once data is written on the blockchain, it should remain unchanged and indelible. This finality is essential to prevent issues like double-spending in cryptocurrencies and to ensure the reliability of smart contracts and decentralized applications.

Sybil attacks in the cryptocurrency world typically involve the creation of multiple false nodes. A single attacker or a group operating numerous nodes can masquerade as multiple, independent network participants. These fake nodes can potentially influence important network decisions, intercept private data, or even execute a 51% attack if they accumulate over half of the network’s hashing power. In these scenarios, attackers could alter the blockchain's history, prevent transactions from being confirmed, or double-spend coins, severely undermining the blockchain’s security and reliability.

Telegram Users Targeted in Sophisticated Toncoin Scam

Scammers have also been exploiting the surge in popularity of The Open Network (TON) blockchain and its Toncoin (TON) token. According to a report from cybersecurity firm Kaspersky, the scam has been active since at least November of 2023 and involves an elaborate referral scheme designed to swindle Toncoin from unsuspecting token holders.

Victims are initially contacted through links sent by friends or familiar contacts, inviting them to join an “exclusive earning program” managed by an unofficial Telegram bot that falsely claims to store cryptocurrency. To make the scheme look a bit more authentic, the scammers instruct victims to buy Toncoin through legitimate avenues like the official Telegram bot, peer-to-peer markets, or crypto exchanges.

The scam gets more serious when victims are persuaded to buy "boosters" with names like 'bike,' 'car,' 'train,' 'plane,' or 'rocket,' priced between 5 to 500 Toncoins. These boosters, which cost between $2 and $2,700, are labeled as necessary for earning in the system. However, once these boosters are purchased, victims lose control over their funds permanently.

The scammers also push a referral program, encouraging victims to create private Telegram groups and invite friends using a provided referral link, complete with video instructions in both Russian and English. The promise of earning 25 TON per invited friend and additional commissions based on the booster tariff purchased by referrals turns the scheme into a classic pyramid structure, where profits are nonexistent for anyone except the orchestrators.

With this scam, all participants dubbed 'partners' eventually lose their investments, with the only beneficiaries being the scammers themselves. It is still not known exactly what the extent or impact of the scam has been so far.