An attacker took advantage of an IBC hooks vulnerability flagged in April to exploit the Terra blockchain.
Posted July 31, 2024 at 5:11 am EST.
The Terra blockchain halted block production for around four hours on Tuesday to patch an exploit that resulted in the theft of millions of dollars’ worth of tokens.
The Terra team announced that block production would be halted in a post on X, saying that no transactions would be processed until validators had deployed an emergency patch to remediate a suspected exploit.
Blockchain security firm Beosin estimated that the exploiter had stolen around 60 million ASTRO, 3.5M USDC, 500,000 USDT and 2.7 BTC – the total value of which exceeded $4 million at the time of the exploit. However, the value of ASTRO has since plummeted 55% to $0.02084.
Users who followed the flow of funds found that the activity resembled an IBC hooks exploit that was flagged in April. IBC hooks is a third-party module used to allow ICS-20 token transfers to initiate contract calls.
That exploit would allow the attacker to mint tokens by taking advantage of the flaw in the contract into the hacker’s wallet. One user tracing the hacker’s onchain activity found that the hacker had bridged the stolen assets back to ETH.
IBC-enabled chains deployed a patch for the vulnerability when it was flagged earlier this year. Although Terra was one of those chains, Sommelier Protocol’s Zaki Manian told The Block that Terra developers missed including the patch in a more recent June upgrade.
“All the Axelar USDC bridged to Terra was stolen using the IBC hooks exploit. A large amount of ASTRO was also stolen,” he said.
The Terra blockchain resumed producing blocks at around shortly after midnight ET after deploying an emergency fix.
Powered by WPeMatico