Astroport (on Terra Phoenix chain): IBC hooks reentrancy — reintroduced known vulnerability in June upgrade after April patch; timeout callback re-enters token minting
A known Cosmos IBC reentrancy bug patched in April 2024 was accidentally reintroduced by Terra's June upgrade — giving an attacker a 2-month window to drain $6.4M from Astroport's Terra liquidity via a minting exploit, while the ecosystem watched helplessly.
Summary #
Astroport (on Terra Phoenix chain) suffered a DEX / AMM (Cosmos / IBC ecosystem) on 2024-07-30, resulting in a loss of approximately $6M.
What happened #
A known Cosmos IBC reentrancy bug patched in April 2024 was accidentally reintroduced by Terra's June upgrade — giving an attacker a 2-month window to drain $6.4M from Astroport's Terra liquidity via a minting exploit, while the ecosystem watched helplessly.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Chain infrastructure (unaudited per-upgrade)]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — June Terra chain upgrade accidentally reintroduced vulnerability]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Astroport is a fork of its own earlier version; Terra using custom ibc-go fork]