Skip to content

Verichains warns Cosmos, BSC, OKX projects of serious security flaws

Verichains warns Cosmos, BSC, OKX projects of serious security flaws

After the discovery of multiple critical vulnerabilities, the industry-leading blockchain security company Verichains has recommended projects using Tendermint’s IAVL proof verification to take measures to protect their assets and reduce the likelihood of being exploited. 

Verichains has provided a public advisory, VSA-2022-100, about a significant Empty Merkle Tree vulnerability in the IAVL proof on Tendermint Core, a prominent BFT consensus engine, per the information shared with Finbold on March 8.

A second public advisory, designated as VSA-2022-101, has also been issued by Verichains From Nil to Spoof – Critical IAVL Spoofing Attack via Multiple Vulnerabilities. 

In October, Verichains discovered this finding when they were working in the aftermath of the BNB Chain bridge breach. The serious IAVL Spoofing Attack was discovered by security professionals who were looking for weaknesses in BNB Chain and Tendermint. They uncovered many flaws, which led them to the conclusion that the attack may have led to a major loss of funds. Due to an existing working partnership, BNB Chain was informed of these results in October and immediately deployed a fix. 

All at once, the Tendermint/Cosmos maintainer was privately informed of the flaws. Tendermint library, however, did not get a fix since the IBC and Cosmos-SDK implementation had already switched to ICS-23 from IAVL Merkle proof verification. At the moment, several projects are at risk. Among these projects include Cosmos, Binance Smart Chain, OKX, and Kava

Billions of dollars could be at risk

According to Verichains’ Responsible Vulnerability Disclosure Policy, the company waited 120 days before making the vulnerability public. Due to the severity of the flaw, it’s possible that further bridges may be hacked, resulting in additional lost payments, which might amount to hundreds of millions, or perhaps billions, of dollars. 

As a result, Verichains has recommended that any vulnerable Web3 projects that rely on Tendermint’s IAVL-proof verification implement immediate security upgrades. Once discovered, the Verichains team promptly discloses the vulnerabilities and security holes it has found to the public through the company’s site.

Notably, the Cosmos Hub and all other blockchains that are built on Tendermint are powered by a consensus engine called Tendermint Core.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit etoro.com/trading/fees.

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
Securities trading offered by eToro USA Securities, Inc. (“the BD”), member of FINRA and SIPC. Cryptocurrency offered by eToro USA LLC (“the MSB”) (NMLS: 1769299) and is not FDIC or SIPC insured. Investing involves risk, and content is provided for educational purposes only, does not imply a recommendation, and is not a guarantee of future performance. Finbold.com is not an affiliate and may be compensated if you access certain products or services offered by the MSB and/or the BD

Read Next:

Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Sign Up

or

By submitting my information, I agree to the Privacy Policy and Terms of Service.

Already have an account? Sign In

Services

Disclaimer: The information on this website is for general informational and educational purposes only and does not constitute financial, legal, tax, or investment advice. This site does not make any financial promotions, and all content is strictly informational. By using this site, you agree to our full disclaimer and terms of use. For more information, please read our complete Global Disclaimer.