IBC security

[tdnguyenND]

Hi everyone
I'm researching IBC and wondering how IBC ensure security cross chain.
As fas as I understand in IBC model, relayer will track transaction in source chain and perform an IBC transaction (IBC receive or IBC acknowldege) in destination chain. Then, dest chain can verify the packet using its palyload and proof, which will basically produce a merkle tree, which root must be equal to consensus root (which is tracked by light client) -> This is quite clear to me. However, the consensus root is assigned to AppHash in message update client, which is not be validated at all (Dest chain only validate the commit & signatures of validators) -> So how does IBC ensure that the AppHash, or the Consensus root is correct? Hacker can use a correct commitment proof along with a fake AppHash, then he can send any packet he wants?

[tdnguyenND]

For future readers
The AppHash is included in block header by CometBFT consensus algorithm, so it take part in block hash building process.
That means, chain can re-build block hash based on the client state, and then compare it with the sent block hash. After that they can verify that block hash is correct based on validator's signature -> this phase if the block hash is correct, then the AppHash must be correct and can be trusted for ICS-023 verification