Skip to content

Verichains warns Cosmos, BSC, OKX projects of serious security flaws

Verichains warns Cosmos, BSC, OKX projects of serious security flaws

After the discovery of multiple critical vulnerabilities, the industry-leading blockchain security company Verichains has recommended projects using Tendermint’s IAVL proof verification to take measures to protect their assets and reduce the likelihood of being exploited. 

Verichains has provided a public advisory, VSA-2022-100, about a significant Empty Merkle Tree vulnerability in the IAVL proof on Tendermint Core, a prominent BFT consensus engine, per the information shared with Finbold on March 8.

A second public advisory, designated as VSA-2022-101, has also been issued by Verichains From Nil to Spoof – Critical IAVL Spoofing Attack via Multiple Vulnerabilities. 

In October, Verichains discovered this finding when they were working in the aftermath of the BNB Chain bridge breach. The serious IAVL Spoofing Attack was discovered by security professionals who were looking for weaknesses in BNB Chain and Tendermint. They uncovered many flaws, which led them to the conclusion that the attack may have led to a major loss of funds. Due to an existing working partnership, BNB Chain was informed of these results in October and immediately deployed a fix. 

All at once, the Tendermint/Cosmos maintainer was privately informed of the flaws. Tendermint library, however, did not get a fix since the IBC and Cosmos-SDK implementation had already switched to ICS-23 from IAVL Merkle proof verification. At the moment, several projects are at risk. Among these projects include Cosmos, Binance Smart Chain, OKX, and Kava

Billions of dollars could be at risk

According to Verichains’ Responsible Vulnerability Disclosure Policy, the company waited 120 days before making the vulnerability public. Due to the severity of the flaw, it’s possible that further bridges may be hacked, resulting in additional lost payments, which might amount to hundreds of millions, or perhaps billions, of dollars. 

As a result, Verichains has recommended that any vulnerable Web3 projects that rely on Tendermint’s IAVL-proof verification implement immediate security upgrades. Once discovered, the Verichains team promptly discloses the vulnerabilities and security holes it has found to the public through the company’s site.

Notably, the Cosmos Hub and all other blockchains that are built on Tendermint are powered by a consensus engine called Tendermint Core.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit etoro.com/trading/fees.

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
Securities trading offered by eToro USA Securities, Inc. (“the BD”), member of FINRA and SIPC. Cryptocurrency offered by eToro USA LLC (“the MSB”) (NMLS: 1769299) and is not FDIC or SIPC insured. Investing involves risk, and content is provided for educational purposes only, does not imply a recommendation, and is not a guarantee of future performance. Finbold.com is not an affiliate and may be compensated if you access certain products or services offered by the MSB and/or the BD

Read Next:

Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Sign Up

or

By submitting my information, I agree to the Privacy Policy and Terms of Service.

Already have an account?

Services

IMPORTANT NOTICE

Finbold is a news and information website. This Site may contain sponsored content, advertisements, and third-party materials, for which Finbold expressly disclaims any liability.

RISK WARNING: Cryptocurrencies are high-risk investments and you should not expect to be protected if something goes wrong. Don’t invest unless you’re prepared to lose all the money you invest. (Click here to learn more about cryptocurrency risks.)

By accessing this Site, you acknowledge that you understand these risks and that Finbold bears no responsibility for any losses, damages, or consequences resulting from your use of the Site or reliance on its content. Click here to learn more.