On July 30, 2024, a vulnerability in the Terra blockchain was discovered and exploited by an attacker. While Astroport itself was not directly hacked or exploited, the attacker managed to create ASTRO tokens on Terra that should not exist. This post details what happened, when it happened, and how the Astroport contributors responded to limit any further damage to Astroport, the ASTRO token, and our users.
The Incident
Shortly after 22:00 UTC on July 30, 2024, the Terra blockchain was targeted by a malicious attack exploiting a vulnerability in IBC-Hooks. This vulnerability, reported in April as ASA-2024-007: Potential Reentrancy using Timeout Callbacks in ibc-hooks, unfortunately, the original patch was accidentally reverted on Terra, allowing the attacker to execute their attack.
In simple terms, the vulnerability enables an attacker to "fool" the chain and IBC module into giving them tokens that should not exist by using a contract and carefully crafted messages.
Through this method, the attacker received the following tokens:
We'll focus only on the ASTRO tokens here. Range Security as well as Rarma wrote in depth articles covering everything else.
- 00:14 UTC on July 31, 2024, the attacker held ~53.7M ASTRO tokens on Terra that should not exist, artificially inflating the ASTRO supply on Terra.
- 00:16 UTC, the attacker transferred 33.769M ASTRO tokens from Terra to Neutron.
- Between 00:18 UTC and 01:29 UTC, the attacker swapped ASTRO to USDC in three transactions:
1) 3,769,616.807536 ASTRO -> 82,185.959084 USDC (Noble)
2) 10,000,000.000000 ASTRO -> 42,008.056584 USDC (Noble)
3) 999,999.000000 ASTRO -> 12,144.509146 USDC (Noble)
A total of ~14.769M ASTRO was exchanged for ~136,338 USDC (worth $136,338).
At 01:36 UTC, the attacker ceased activity on Neutron, leaving ~19M ASTRO in their wallet, with a further 20M ASTRO in their Terra wallet.
Contributor Response
- 03:30 UTC, contributors were alerted and joined the first meeting with several other Cosmos contributors around 04:00 UTC
- 04:17 UTC, the Terra blockchain was halted to patch the vulnerability
- 06:54 UTC, contributors took additional action to temporarily escrow the ASTRO held by the attacker on Neutron in the Astroport Treasury while the situation was studied[1].
- Around 10:59 UTC, the Terra blockchain was halted again to blacklist the attacker’s wallet on Terra.
- 11:15 UTC, the Terra blockchain was restarted with the attacker’s wallet unable to perform any transactions.
Thus, by 11:15 UTC, just under 11 hours since the attack started, all the remaining ASTRO that was minted by the attacker was secured and could no longer cause damage.
The Current State
The attacker no longer controls any ASTRO minted by them, preventing further attacks or damage. There is still a mismatch between the amount of ASTRO sent out from Neutron and the amount of ASTRO existing according to the Terra blockchain. While we are working on a plan to restore and correct this imbalance, it is safe to transfer your ASTRO tokens to Neutron should you wish to do so.
Additionally, before this incident, the maximum supply of ASTRO was 1.1 billion tokens. The exploiter created an additional 53.769 million tokens. Of those, 39 million have been frozen. That means the maximum supply of ASTRO has increased by approx. 14.769M ASTRO tokens (or ~1.3%). We are exploring options to reduce the supply back to 1.1 billion tokens and we’ll issue updates on this very soon.
Closing
We take the security of Astroport and all of our contracts very seriously. All of our contracts have been audited multiple times and are available for anyone to inspect. It is important to note that Astroport was not hacked and not exploited. Our contracts operated as intended.
The entirety of the ASTRO sold by the exploiter was absorbed within the ASTRO-USDC liquidity pool on Neutron. Approximately $136k worth of ASTRO was sold, which created panic selling pressure, further affecting the token price.
Astroport has taken the lead in efforts to have the attacker return the funds, even though the damages to Astroport were minimal compared to other tokens stolen. We'll continue to work tirelessly to improve the entire crypto space, and we are thankful for everyone who has assisted us in every way possible.
Please keep an eye on Astroport communications on X for more updates.
✦
[1] Regarding the ability to escrow the attacker’s funds: In the proposal ARC 105, Astroport governance approved the additional use of the builder multisig for use during the Hub migration should issues occur (as in, both Assembly and the multisig could manage the protocol). Those management capabilities will be revoked with the upcoming creation of a separate security subDAO, which should be granted limited emergency powers to address any future issues. Currently, the attacker’s ASTRO is held in the Astroport Treasury in order to safeguard the protocol from further damage. Look for upcoming governance proposals on how to handle these tokens, which should not exist. In the future, all security-related incidents will be handled by the security subDAO.
