Astroport IBC Hooks Reintroduced Bug

On July 30, 2024, the Cosmos-based DEX Astroport — deployed on Terra (Phoenix) — lost approximately $6.4 million through a reentrancy vulnerability in the IBC hooks timeout-callback path. The vulnerability had been identified and patched in April 2024 and then accidentally reintroduced in a June upgrade. Terra's validators halted the chain in response.

What happened

Astroport's deposit and trade flow on Terra used IBC hooks — a Cosmos primitive that lets cross-chain messages trigger contract execution on the receiving chain. Specifically, when an IBC transfer to Astroport timed out, the protocol's timeout callback handled the refund logic.

The vulnerability lived in this timeout callback: under specific conditions, an attacker could re-enter Astroport's contracts mid-callback and conjure tokens out of thin air — by manipulating the protocol's accounting in the window where the timeout was being processed but the state had not yet been finalised.

The full history of the bug:

• Identified and patched in April 2024 — Astroport's team had spotted the issue and shipped a fix.
• Reintroduced in a June 2024 upgrade — the patch was inadvertently rolled back or overwritten when subsequent changes were merged.
• Exploited on July 30, 2024 — the attacker (presumably aware of the historical issue and monitoring for its reappearance) drained approximately $6.4M.

The drain included:

• 60 million ASTRO tokens (Astroport's native asset)
• $3.5M USDC
• $500K USDT
• 2.7 BTC

Aftermath

• Terra validators halted the chain within hours of the exploit being publicly identified — exercising the same emergency-pause capability that had previously been used during the original Terra collapse.
• Approximately 33 million ASTRO had been bridged to Neutron before the halt; these were subsequently seized to the Astroport Treasury.
• 13 million ASTRO was swapped for ~124,000 axlUSDC and bridged to Ethereum.
• 20 million ASTRO that remained on Terra was blacklisted and rendered unmovable.
• The attacker's Terra address was blacklisted from making any further transactions.
• The IBC Hook vulnerability was re-patched (this time, presumably with regression tests to prevent future reintroduction).

Why it matters

Astroport's incident is one of the cleanest cases for why patched vulnerabilities require explicit regression testing. The April 2024 fix had clearly been validated at the time; the June upgrade introduced new code without verifying that the historical patches were preserved. The result: a known vulnerability lived in production for approximately 8 weeks before someone exploited it.

The structural lessons:

1. Patched bugs should be added to the protocol's permanent regression test suite, not just resolved as one-time fixes.
2. Upgrade reviews should include explicit verification that previously-patched code paths still have their patches in place.
3. Public vulnerability disclosures (even after patching) create attacker awareness — sophisticated operators monitor patch commit histories to look for opportunities to attack reintroductions or related issues. The 8-week gap between the June upgrade and the July exploit suggests deliberate monitoring rather than coincidence.

The validator-halt response is also notable — Terra's smaller, more coordinated validator set was able to take action that would not be possible on Ethereum or Solana. As with Cetus on Sui in 2025, chain-level intervention by validators is a viable defence on smaller chains but comes with trade-offs around decentralisation that the community accepts (or doesn't) on a case-by-case basis.