The Terra blockchain recently experienced a serious security breach resulting in the theft of about $5 million in various cryptocurrencies. This included approximately 60 million ASTRO tokens, 3.5 million USDC, 500,000 USDT, and 2.7 BTC. The breach was detailed by the smart contract audit firm Beosin on X, which reported, “The Terra blockchain was compromised, leading to the theft of ~60M $ASTRO, 3.5M $USDC, 500k $USDT, and 2.7 $BTC.”
According to security researcher Rarma (@Rarma_), this incident involved an exploit of the IBC hooks vulnerability identified earlier in April. By deploying a malicious CosmWasm contract through IBC interactions, the attacker managed to repeatedly trigger the MsgTimeout in the IBC hook’s OnTimeout callback before the packet commitment was deleted. This flaw, affecting chains using IBC hooks for ICS-20 integration, allowed recursive execution of the OnTimeout logic, resulting in potential loss of funds from escrow accounts or unintended token minting.
The vulnerability, which remained unpatched since April, enabled the attacker to manipulate the IBC transfer process, minting tokens on Terra using the exploited mechanism, and then transferring them off the platform. “Terra wasn’t patched, which facilitated the exploit. The attacker minted tokens that had been IBC transferred onto Terra by using a contract, IBC call (with IBC hooks), and a timeout. 3.5 million axlUSDC, 500k USDT, 2.7BTC, 60m ASTRO tokens. Terra and Neutron IBC relayer need to stop,” Rarma commented.
The researcher further explained that the IBC’d assets were ‘re-minted’ and then transferred out, with the ‘minted’ tokens burned during the exit. Therefore, from the perspective of the chain, IBC, and relayer, these tokens no longer exist on Terra, rendering the TVL for these assets misleading.
The hacker has already moved the stolen assets, not through Cosmos but by bridging them to Ethereum and exchanging them for Ether (ETH).
In response to the breach, the development team swiftly halted the blockchain to mitigate further damage. They announced, “The chain will be halted at block height 11430400, and transactions will cease during this period. We are collaborating with Terra validators (phoenix-1) to apply an emergency patch to address the exploit.”
Approximately four hours after the halt, an emergency patch was deployed to fix the vulnerability and enhance the blockchain’s security. The update allowed normal blockchain activities to resume: “The Terra chain resumed block production at around 4:19 AM UTC, and the emergency upgrade is complete. Transactions are processing normally, and validators with over 67% of the voting power have updated their nodes to prevent future exploits. Additional validators are expected to update soon.”