TechFlow news — Cosmos co-founder Ethan Buchman has commented on the BSC cross-chain bridge attack, stating that the core issue in this incident was the hacker's ability to forge Merkle proofs. This should not have been possible, as Merkle proofs are designed to ensure high integrity. Blockchain light clients (and IBC) rely on Merkle proofs, and many blockchains store data in Merkle trees so that proofs can be generated to verify that certain data is included in the tree.
Cosmos chains use a type of Merkle tree called IAVL. The IAVL repository exposes an API that uses "RangeProof," but it turns out there is a serious flaw in how RangeProof works internally. The problem with the IAVL RangeProof code is that it allows populating both the Left and Right fields in InnerNodes. Attackers exploited this by inserting unverified information into the Right field—data that never undergoes validation nor affects hash computation—tricking verifiers into believing certain leaf nodes were part of the tree. As a result, they successfully forged Merkle proofs.
Buchman noted that while using RangeProof was not a good idea in the first place, one potential fix is to pre-reject any proof where an internal node has both left and right fields populated. For Merkle proofs in IBC, IBC does not use the built-in RangeProof system of IAVL trees. Instead, it uses the ICS23 standard to generate and verify Merkle proofs from IAVL trees. The ICS23 code does not have this vulnerability and explicitly "rejects" RangeProofs.Original link




