IBC-Go, Non-deterministic JSON Unmarshalling, CVE-2025-004 (Critical)

By /

How the CVE Works:

The vulnerability in IBC-Go arises from the non-deterministic deserialization of IBC acknowledgements during JSON unmarshalling. This non-deterministic behavior can cause validators to interpret the same data differently, leading to a chain halt. The issue is triggered when an IBC channel is opened, allowing any user with channel-opening permissions to introduce this state. The deserialization inconsistency occurs because the JSON unmarshalling process does not enforce a strict format for acknowledgements, leading to varying interpretations across nodes. This can result in a split in the blockchain state, forcing the chain to halt until consensus is restored.

DailyCVE Form:

Platform: IBC-Go

(empty line)

Version: >= v7

(empty line)

Vulnerability: Non-deterministic JSON Unmarshalling

(empty line)

Severity: Critical

(empty line)

Date: February 27, 2025

What Undercode Say:

Exploitation:

  1. Exploit Vector: An attacker with IBC channel-opening permissions can craft malicious acknowledgements that trigger non-deterministic deserialization.
  2. Impact: Chain halts due to inconsistent state interpretation across validators.

3. Proof of Concept:

package main
import (
"encoding/json"
"github.com/cosmos/ibc-go/v10/modules/core/04-channel/types"
)
func main() {
ack := types.Acknowledgement{Response: &types.Acknowledgement_Result{Result: []byte("malicious")}}
data, _ := json.Marshal(ack)
// Send data via IBC channel to trigger deserialization inconsistency
}

Protection:

  1. Patch: Upgrade to the latest IBC-Go version that enforces deterministic JSON unmarshalling.
  2. Workaround: Restrict IBC channel-opening permissions to trusted entities.
  3. Middleware Update: Ensure middlewares use transfertypes.ModuleCdc.MarshalJSON for serialization.
  4. Testing: Validate patches using testnets before deploying to mainnet.

Commands:

1. Upgrade Command:

go get github.com/cosmos/ibc-go@latest

2. Permission Restriction:

Use Cosmos SDK's governance module to restrict channel permissions
gaiad tx gov submit-proposal update-channel-permissions --from validator --chain-id cosmos-hub

References:

  1. Security Advisory: IBC-Go GitHub Advisory
  2. Bug Bounty: Cosmos Bug Bounty Program

3. Communication: [Interchain Security](mailto:[email protected])

Testing:

1. Testnet Deployment:

gaiad start --testnet

2. Transaction Simulation:

gaiad tx ibc-transfer transfer channel-0 cosmos1... 100uatom --from wallet --chain-id testnet

Additional Notes:

  • Coordinated Upgrade: Chains using ack-serializing middlewares must coordinate upgrades to avoid state breaks.
  • Monitoring: Use monitoring tools like Prometheus to detect deserialization inconsistencies. 
    Prometheus config snippet</li>
<li>job_name: 'ibc-go'
static_configs:</li>
<li>targets: ['localhost:26660']

References:

Reported By: https://github.com/advisories/GHSA-jg6f-48ff-5xrw
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top