Full Report
The Cosmos SDK is a blockchain development framework for application specific blockchains. Built into its core is blockchain interoperability by IBC (interblockchain communication). Within the Cosmos SDK and most other blockchains, there are events. This makes it easy for off-chain applications to monitor the blockchain and query its state then act on these messages. So, keeping these events valid is important for the security of the system. When communicating via IBC with two blockchains, a relayer sends over the data with a MsgRecvPacket message. If an error occurs within this handling, the blockchain cannot revert. This is because the other chain communicating needs to revert the state changes that were supposed to happen (but failed) from chain A to chain B. So, instead, it uses an IBC acknowledgement message. Successful ack means the call succeeded and a failure indicates that the call to IBC failed for whatever reason. The relayer would then send the result from the target chain back to the original chain to revert the changes. When handling an IBC packet with a failure, the event is still emitted due to poorly written code. Why is this bad? The events are emitted, even though the state changes were never made. As a result, any off-chain program listening would believe this went through when it really didn't. The author calls with a "hallucination", which is a really good name for this. To trigger this, we must force a bad ack event. With CosmWasm, this is trivial through the built in IBC support. Then, to exploit this, an attacker can trigger arbitrary actions through CosmWasm, such as a bridge request. From there, this will have bad events emitted, tricking whatever off-chain applications. For non CosmWasm chains, other methods may be possible to trigger this. What else is vulnerable? A decentralized exchange that requires transfer from one chain to another that is looking for events could be vulnerable. Additionally, various bridges could have been exploited in this way as well. Overall, a really simple issue that was overlooked by the developers that caused a very serious problem. This was a really good find by Felix on the Cosmos SDK side.
Analysis Summary
# Vulnerability: IBC Event Hallucinations (Huckleberry)
## CVE Details
- **CVE ID**: CVE-2023-30514
- **CVSS Score**: 9.1 (Critical)
- **CWE**: CWE-636 (Not Enough Method Softening) / CWE-691 (Insufficient Control Flow Management)
## Affected Systems
- **Products**: `ibc-go` (the reference implementation of the Interblockchain Communication Protocol).
- **Versions**:
- v1.x.x (all versions)
- v2.x.x (all versions)
- v3.x.x (prior to v3.4.1)
- v4.x.x (prior to v4.4.0)
- v5.x.x (prior to v5.2.1)
- v6.x.x (prior to v6.1.2 or v6.2.0)
- **Configurations**: Cosmos SDK chains with IBC enabled; chains with CosmWasm runtimes are particularly susceptible to easy exploitation.
## Vulnerability Description
The vulnerability—nicknamed "Huckleberry"—exists in the `RecvPacket` function of the `ibc-go` keeper. In the Cosmos SDK, `OnRecvPacket` handles incoming IBC data. Because IBC requires an acknowledgment regardless of internal success or failure (to allow the sending chain to revert state), the transaction itself usually succeeds.
The flaw occurred because the code used a `CacheContext` to isolate state changes. If the application logic returned a **failed acknowledgment**, the state changes were correctly discarded (not written). However, the code explicitly called `ctx.EventManager().EmitEvents(cacheCtx.EventManager())`, which leaked the events from the failed execution into the main block results. This causes "hallucinations" where off-chain observers see events for actions (like token transfers) that were never actually committed to the blockchain state.
## Exploitation
- **Status**: PoC available/verified; no confirmed malicious exploitation in the wild at the time of disclosure.
- **Complexity**: Low (on chains with CosmWasm) to Medium.
- **Attack Vector**: Network. An attacker sends a malicious IBC packet to a target chain.
On CosmWasm chains, an attacker can deploy a contract that triggers sensitive actions (like a bridge request) via sub-messages but purposefully returns an "Error" acknowledgment. This ensures the tokens never leave the contract, yet the event is emitted.
## Impact
- **Confidentiality**: None.
- **Integrity**: **High**. Off-chain systems (bridges, CEXs, indexers) are tricked into believing state changes occurred.
- **Availability**: Low to Medium.
Successful exploitation could allow an attacker to double-spend on bridges or credit "ghost" deposits to Centralized Exchanges (CEXs) by repeatedly triggering transfer events without actually transferring funds.
## Remediation
### Patches
The vulnerability was fixed by ensuring events are only emitted if the IBC acknowledgment is successful.
- **ibc-go v3.4.1**
- **ibc-go v4.4.2**
- **ibc-go v5.2.1**
- **ibc-go v6.1.2**
- **ibc-go v7.0.1**
### Workarounds
- There are no simple code-level workarounds for chain operators other than upgrading the `ibc-go` dependency and re-compiling the binary.
- **Off-chain entities:** Bridges and exchanges should verify the "acknowledgment" status of an IBC packet in the transaction results rather than relying solely on the presence of events.
## Detection
- **Indicators of Compromise**: Multiple transaction responses where `MsgRecvPacket` results in a failed acknowledgment but contains events normally associated with successful high-value transfers (e.g., `transfer` or `coin_received`).
- **Detection methods**: Audit historical IBC packet acknowledgments and compare event logs against actual balance changes in the state.
## References
- **Vendor Advisory**: [https://forum.cosmos.network/t/ibc-security-advisory-huckleberry/10731](https://forum.cosmos.network/t/ibc-security-advisory-huckleberry/10731)
- **Github Patch**: [https://github.com/cosmos/ibc-go/commit/4973957900d70969d99371e6ed24c47400f5abe6](https://github.com/cosmos/ibc-go/commit/4973957900d70969d99371e6ed24c47400f5abe6)
- **Technical Analysis**: [https://jumpcrypto.com/news/huckleberry-ibc-event-hallucinations/](https://jumpcrypto.com/news/huckleberry-ibc-event-hallucinations/)