Skip to content

Verichains warns Cosmos, BSC, OKX projects of serious security flaws

Verichains warns Cosmos, BSC, OKX projects of serious security flaws

After the discovery of multiple critical vulnerabilities, the industry-leading blockchain security company Verichains has recommended projects using Tendermint’s IAVL proof verification to take measures to protect their assets and reduce the likelihood of being exploited. 

Verichains has provided a public advisory, VSA-2022-100, about a significant Empty Merkle Tree vulnerability in the IAVL proof on Tendermint Core, a prominent BFT consensus engine, per the information shared with Finbold on March 8.

A second public advisory, designated as VSA-2022-101, has also been issued by Verichains From Nil to Spoof – Critical IAVL Spoofing Attack via Multiple Vulnerabilities. 

In October, Verichains discovered this finding when they were working in the aftermath of the BNB Chain bridge breach. The serious IAVL Spoofing Attack was discovered by security professionals who were looking for weaknesses in BNB Chain and Tendermint. They uncovered many flaws, which led them to the conclusion that the attack may have led to a major loss of funds. Due to an existing working partnership, BNB Chain was informed of these results in October and immediately deployed a fix. 

All at once, the Tendermint/Cosmos maintainer was privately informed of the flaws. Tendermint library, however, did not get a fix since the IBC and Cosmos-SDK implementation had already switched to ICS-23 from IAVL Merkle proof verification. At the moment, several projects are at risk. Among these projects include Cosmos, Binance Smart Chain, OKX, and Kava

Billions of dollars could be at risk

According to Verichains’ Responsible Vulnerability Disclosure Policy, the company waited 120 days before making the vulnerability public. Due to the severity of the flaw, it’s possible that further bridges may be hacked, resulting in additional lost payments, which might amount to hundreds of millions, or perhaps billions, of dollars. 

As a result, Verichains has recommended that any vulnerable Web3 projects that rely on Tendermint’s IAVL-proof verification implement immediate security upgrades. Once discovered, the Verichains team promptly discloses the vulnerabilities and security holes it has found to the public through the company’s site.

Notably, the Cosmos Hub and all other blockchains that are built on Tendermint are powered by a consensus engine called Tendermint Core.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in 70+ cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. eToro USA LLC does not offer CFDs, only real Crypto assets available. Don’t invest unless you’re prepared to lose all the money you invest.

Read Next:

Weekly Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts