Tendermint Says Last Month’s Cosmos Vulnerability Exposed Security Loophole

The developers behind the Cosmos network released today a full disclosure of last month’s “critical security vulnerability” which reportedly enabled hackers to bypass certain penalties for misbehavior on the network.

Zaki Manian, director at Tendermint Inc – the for-profit entity behind the core technology of the Cosmos network – detailed to Coindesk in an interview:

“The key is we want to make it really difficult to misbehave in the network and then un-stake your tokens immediately and escape the consequences of that misbehavior…like voting for something bad in governance [or] the more complex things are double signage against an exchange to potentially reverse state.”

Normally, Cosmos validators – which are the equivalent to miners on a proof-of-work blockchain network – that do misbehave either by voting haphazardly or signing off on false transactions are penalized by having their staked ATOM tokens slashed. This is made possible through a minimum wait period of 21 days that prevent validators from un-staking their ATOM tokens before the network is able to sufficiently detect and screen their actions.

As stated in today’s post by the Tendermint team, the code vulnerability discovered last month could enable a validator to bypass the full un-staking or “un-bonding” period “and have their funds immediately become liquid essentially insta-unbonding.”

“Within the first 24 hours of receiving the bug report, our tooling detected ~22 events total,” the team wrote.

Having gone live this past March, Cosmos is a relatively new blockchain network that is designed to improve the interoperability between differing blockchain platforms. A reported $16 million was raised in an initial coin offering back in 2017.

The security vulnerability disclosed today was actually found in “the staking module” of the Cosmos Software Development Kit (SDK) which debuted back in 2018 as a “state-of-the-art” blockchain toolkit. It was…

Source Link