On Solana, events are often reconstructed from transaction traces, and failed transactions still emit data. This bug in Across could have allowed attackers to spoof deposit events and trick relayers into filling orders with no real deposit behind them.
Cross-program invocation (CPI) is the mechanism on Solana through which one program calls another. It's used for system instruction calls, SPL token transfers, custom program execution, and even event emissions, making it a core part of writing functional programs in Solana.
This post discusses a vulnerability in ibc-go, a reference implementation of the Cosmos Inter-Blockchain Communication (IBC) protocol. A reentrancy vulnerability during the handling of timeout messages could have allowed an attacker to mint an infinite amount of IBC tokens on affected Cosmos chains.
Subscribe to be notified whenever we publish new security research.
