Cosmos Hub Onboarding: Incident Report and Resolution
On December 23, 2022, Quicksilver Liquid Staking Protocol’s onboarding of the Cosmos Hub was sadly the target of a calculated and malicious sabotage attempt. The exploiter used a security vulnerability in the Cosmos Hub’s version of IBC-go to attack and block Quicksilver’s onboarding of the Hub. No user will experience loss of funds due to this incident.
The exploit was not present in Quicksilver’s code, and the Cosmos Hub team is working with Quicksilver on a resolution to onboard the Hub once the Cosmos Hub chain security vulnerability is patched. The other three upcoming chains on our onboarding roadmap, Stargaze, Juno, and Osmosis, are not affected by this issue. In the meantime, the Quicksilver team will continue to move forward with onboarding other chains & protocol feature releases.
This incident report will provide a description of how the attack was carried out, how the issue was addressed, and the next steps.
Quicksilver is a sovereign Cosmos SDK zone that provides liquid staking for the Interchain. Thanks to its plug-and-play design, it can scale to onboard a limitless number of zones with zero onboarding effort from zones and validators.
On December 23, 2022, Quicksilver onboarded the Cosmos Hub to allow ATOM holders to liquid stake their assets and and receive a liquid token voucher, qATOM.
While the Hub was being onboarded, a bad actor used the predictable ICA address generation to determine the address of the protocol’s delegate account, and initialised the account by sending tokens to it prior to the account registration. This meant that the ICA in question was never accessible by the Quicksilver protocol, but the Cosmos Hub responded that the registration was successful, even though Gaia (the Hub) never actually granted the Quicksilver protocol control over the account in question. This resulted in a situation where the Quicksilver protocol’s code believed it controlled the account, and continued to send deposits to it, despite being unable to execute transactions on behalf of that account.
3460 ATOM had been deposited into the delegation account, 95% of which belong to the Quicksilver team. The other 311 ATOM belong to the community and will be refunded in full.
It’s important to note that the attacker never had any path to gain control of the funds; the ATOM remains locked in the delegation account on the Cosmos Hub, inaccessible.
The reason the actor could take advantage of the predictable address generation was that the security vulnerability of predictable ICA address generation was addressed in ibc-go version v3.3.0, but the Cosmos Hub was using ibc-go v3.0.0.
Unfortunately, this was a calculated attack by someone who knew that Cosmos Hub had not followed the proper security upgrades to mitigate a known security vulnerability. It was an attack designed to damage both the Cosmos Hub and Quicksilver’s community.
To protect users and partners, the Quicksilver team turned off the protocol front end’s staking page and shut down the ICQ relayers while working to identify why delegation transactions were failing.
Then, the Quicksilver team and validators coordinated a preemptive chain halt at block 115000, which took place on December 24 at 10:15 UTC, due to the following:
- To mitigate risk to users to continue submitting deposits, as these deposits would be processed if any validators initialized ICQ relayers.
- There is a sanity check that halts the chain if there is greater than expected disparity between ATOM locked in delegations and qAtom supply. Given delegations were failing, this would certainly have triggered a chain halt at 1300 UTC on December 25, Christmas Day, spoiling the holiday for many validators.
The Way Forward
Restarting the Quicksilver Chain
There is no major “fix” on the side of the Quicksilver chain; the only update is to add custom logic to the Quicksilver chain’s software to remove the “half-registered” Cosmos Hub zone and allow Quicksilver chain to get back to producing blocks.
There will be a Quicksilver testnet upgrade the week of December 27. The chain restart is planned for the new year to preserve validators’ holiday plans.
Onboarding the Cosmos Hub to Quicksilver Liquid Staking Protocol
Quicksilver remains committed to onboarding the Cosmos Hub, to give the Cosmos Hub community the opportunity to stake ATOM and get qATOM. We are working with the Cosmos Hub team on addressing the security vulnerability, so that the Hub onboarding may be resumed. An upgraded Hub will ensure that this situation cannot be repeated.
We don’t yet have a clear timeline from the Hub, but it may roll out the fix in early 2023. This would mean that it onboarded soon after and the Hub community can gain access to the protocol for liquid staking.
Updating the Chain Onboarding Process for Quicksilver Protocol
Other chains’ upgrade paths should not be the Quicksilver team’s responsibility to audit, especially when there have been advisories recommending immediate security upgrades; however, it is our duty to act in the best interest of all potential Quicksilver users and the greater Cosmos community.
As such, we will conduct additional checks in future on the dependencies of chains that we recommend to the community to onboard onto the protocol.
Recompense for Affected Users
Of the 3460 ATOM in the exploit, 3149 ATOM belonged to the Quicksilver team and 311 ATOM belonged to users. User funds will be refunded 100%.
The Quicksilver team has a list of all depositors and the transactions that were executed to onboard funds into the protocol. We will use this list to refund all depositors. We expect the refund process to be completed this week.
Leading the Way
No matter the setback, the Quicksilver team will continue to build for the benefit of the entire Cosmos community. We will direct our resources to onboarding other chains, beginning with Stargaze in early January 2023, and keep working to steadily release like unbonding and signaling intent, both of which are planned for early January.
Quicksilver is dedicated to providing Interchain Liquid Staking and supporting decentralization for the entire Cosmos. We’re ready to go again, strong as ever.