ASA-2024-007 Advisory

Attention Validators:

A critical-severity bug has been found in ibc-go: Potential Reentrancy using Timeout Callbacks. See ASA-2024-007 for details. Note that Agoric is not affected by this vulnerability and is therefore not a critical vulnerability in the Agoric chain.


Through the deployment and subsequent use of a malicious CosmWasm contract via IBC interactions, an attacker could potentially execute the same MsgTimeout inside the IBC hook for the OnTimeout callback before the packet commitment is deleted. On chains where ibc-hooks wraps ICS-20, this vulnerability may allow for the logic of the OnTimeout callback of the transfer application to be recursively executed, leading to a condition that may present the opportunity for the loss of funds from the escrow account or unexpected minting of tokens.

Several ibc-go versions have been released with a fix. The Agoric chain is not affected by this vulnerability as it does not meet all the conditions required for exploitation. Additionally, all smart contracts run in the JavaScript kernel, SwingSet, which is designed to mitigate issues like re-entrancy. Agoric Systems engineering will target the fix in an upcoming upgrade (agoric-upgrade-16).

If you have any questions, comments or concerns please contact the Agoric Systems Security team -