Emergency Response to Reentrancy Attack on Terra Blockchain

On Wednesday, Terra developers took the significant step of pausing network operations following a severe reentrancy attack that resulted in the theft of over $4 million worth of various tokens from the blockchain. This emergency halt occurred at block height 11430400 as developers rushed to implement an emergency patch to address the critical vulnerability. The fix was successfully deployed at 04:19 UTC.

Validators, who play a crucial role in maintaining the integrity of the network, representing over 67% of the voting power on Terra, promptly upgraded their nodes to mitigate the risk of future exploits, as detailed in a post on social media platform X.

According to estimates from security firm Beosin, the breach involved the theft of approximately $3.5 million in USDC stablecoins, $500,000 in USDT stablecoins, 2.7 bitcoin (BTC), and over 60 million tokens of Astroport’s ASTRO. The attack has been attributed to a specific reentrancy vulnerability identified in the timeout callback of ibc-hooks, which was initially disclosed back in April of this year.

In the wake of the attack, the value of ASTRO plummeted by 56%, as reported by CoinGecko. Additionally, Terra’s luna classic (LUNC) tokens experienced a decline of 3.4% within the last 24 hours.

Reentrancy vulnerabilities are a well-known type of bug that can be exploited by malicious actors. They allow attackers to deceive a smart contract into executing repeated calls to a protocol, ultimately leading to the unauthorized theft of assets. This occurs when the initial call grants the smart contract address the ability to interact with a user’s wallet address, creating a window of opportunity for exploitation.