A sophisticated hack on the Terra blockchain caused a serious breach that led to the theft of many cryptocurrencies valued at about $5 million. About 60 million ASTRO tokens, 3.5 million USDC, 500,000 USDT, and 2.7 BTC were among the specific assets stolen. The breach’s nature was disclosed by the smart contract audit company Beosin in an X post, which read, “Terra blockchain was exploited for ~60M $ASTRO, 3.5M $USDC, 500k $USDT, and 2.7 $BTC.”
“So yes, it appears this is the IBC hooks exploit from back in April,” verified security researcher Rarma (@Rarma_) via X. Through IBC interactions, an attacker was able to deploy and use a malicious CosmWasm contract, which allowed them to repeatedly trigger the MsgTimeout within the OnTimeout callback of the IBC hook before the packet commitment was deleted. This vulnerability may allow the functionality of the OnTimeout callback to be executed recursively within the transfer application on chains that integrate ICS-20 via ibc-hooks. This may result in situations where escrow account money is misplaced, or tokens are suddenly created.
The attacker was able to control the IBC transfer procedure by minting tokens on Terra and transferring them off the platform by utilizing the vulnerable technique, which had been discovered but had not been patched since April. Because Terra isn’t patched, the hack was possible. The exploiter used a contract, an IBC call (with IBC hooks), and a timeout to mint tokens that had been IBC transferred onto Terra. 60 million ASTRO tokens, 500k USDT, 2.7 BTC, and 3.5 million axlUSDC. The IBC relayers for Terra and Neutron must cease,” Rarma continued.
The researcher went on to say that “this exploit was used to ‘re-minte’ the IBC’d Assets into the hacker’s wallet.” After that, they were IBC transferred out. On the way out, the “minted” tokens were “burnt.” Therefore, the number of tokens that have been exploited technically no longer exists on Terra from the standpoint of Chain, IBC, and Relayer. These tokens’ TVL is wholly fraudulent.
Notably, the hacker has already returned his pilfered assets to Ethereum by bridging them back to the platform and exchanging them for Ether (ETH) rather than through Cosmos.
The development team moved swiftly to stop further misuse of the blockchain in reaction to the security flaw. “Please be advised that the chain will be halted shortly at block height 11430400, and transactions will not be processed during this time,” the announcement explaining the stoppage to the community said in detail. After that they continued, “We will be working with the validators on Terra (Phoenix-1) to apply an emergency patch thereafter to remediate a suspected exploit.”
The development team released an emergency fix to strengthen the blockchain’s defenses and address the exploited vulnerability about four hours after the halt. The update was essential to getting blockchain operations back to normal: At about 4:19 AM UTC, 1 August, 2024, the Terra chain started block generation again, and the emergency chain update is now finished. Users are now able to resume their regular activity as the transactions are being processed. Upgrading their nodes, validators with more than 67% of Terra’s voting power have stopped the exploit from happening again. It is anticipated that more validators will update soon.