GO-2024-2874 Inter-Blockchain Communication (IBC) protocol "Huckleberry" vulnerability in github.com/cosmos/ibc-go

The ibc-go module is affected by the Inter-Blockchain Communication IBC protocol "Huckleberry" vulnerability. The vulnerability allowed an attacker to send arbitrary transactions onto target chains and trigger arbitrary state transitions, including but not limited to, theft of funds. It was...

Users will not receive on Token on Destination chain because the internal _executeWithToken(...) function is not implemented.

Lines of code Vulnerability details Impact Loss of tokens on the Destination chain. Proof of Concept The DestinationBridge.sol contract inherits AxelarExecutable.sol which has the executeWithToken... that's called at the end of executeWithToken... function. The executeWithToken... is not...

Tokens transferred with bridge can get lost if destination transaction can’t be executed

Lines of code Vulnerability details Impact User could lost his tokens, if tx on destination chain will failrevert. There is no option to recover the tokens on source chain. Revert could be cause by function attachThreshold. This function finds the correspondence between the amount and threshhold...

Cross-chain smart contract call can revert and burned tokens in source chain can't be recovered

Lines of code Vulnerability details Summary AXELARGATEWAY.callContract doesn't revert on failure in destination chain , execute function can revert for varies reasons such as not passing require statements, or low gas so tokens remained burned in source chain and can't be recovered . Impact Loss ...

InterchainProposalExecutor will fail if any proposal requires value transfer, breaking core logic

Lines of code Vulnerability details Impact Proposals which are sent from a source chain using InterchainProposalSender to a destination chain to be executed using InterchainProposalExecutor are intended to support function calls that include transfers of ETH, or other native token. However, the...

BranchBridgeAgent invokes anyCall with PAY ON SOURCE but doesn't send value with it. All calls will fail.

Lines of code Vulnerability details Impact IAnycallProxy.anyCall operates under one of two modes of taking fees, namely fees are taken either on source or on the destination chain. Fee mode is decided by the caller with an appropriate value of the fourth parameter, ie. uint256 flag . Values 0,4...

Users can create beam request for a destination chain without paying a fee.

Lines of code Vulnerability details Impact When a user creates a beam request for a destination chain, the user can input zero as a value for gasLimit. With this, the user is able to make the request without paying any fees to Hologram since messagingModule.getHlgFeetoChain, gasLimit, gasPrice;...