Cosmos creator All in Bits (AiB) recently issued an urgent alert, revealing that the Liquid Staking Module (LSM) of the Cosmos Hub poses severe security risks since it was developed by individuals linked to North Korea.
AiB believes the developers' contributions were integrated into the Cosmos Hub without sufficient security vetting, raising alarms over potential vulnerabilities.
Developers With Confirmed Links to North Korea
Initially developed in 2021 under the leadership of Cosmos validator hosting firm Iqlusion and its leader Zaki Manian, with contributions from Stride Labs, Binary Builders, and Informal Systems, the LSM was intended to modify key Cosmos modules like staking, distribution, and slashing. However, its integration into the Cosmos Hub, via Gaia, means that these vulnerabilities could potentially impact all staked ATOMs.
In an update, Cosmos co-founder Jae Kwon said that AiB examined the actions and omissions done by Manian during the development and promotion of the LSM, and raised serious concerns about the transparency and safety of the Cosmos Hub.
The timeline of events surrounding the development and security concerns of the LSM for the Cosmos Hub reveals a series of missteps, as per Kwon.
On June 24, 2021, the Interchain Foundation (ICF) announced that Iqlusion had secured funding for ongoing work on Gaia, network upgrades, and staking derivatives. By August of the same year, Manian and Iqlusion began developing the LSM, with major contributions from Jun Kai and Sarawut Sanit, later identified as linked to North Korea.
A critical audit by Oak Security in July 2022 uncovered significant vulnerabilities, particularly regarding slashing evasion. Shockingly, the same North Korean developers responsible for the original code were tasked with addressing these issues, undermining the integrity of the remediation process.
Despite these findings, Kwon claimed that Manian communicated with the FBI in March 2023 regarding the developers' ties to North Korea but did not disclose this to the community. Following this, Stride Labs attempted to enhance security in April 2023, yet their work largely involved porting the original code with minimal refactoring.
On April 19, 2023, a Signaling Proposal to integrate the LSM onto the Cosmos Hub was submitted, despite the unresolved security issues. This proposal progressed through various stages, leading to the LSM's integration on September 11, 2023, which occurred 19 months after the last audit.
Ultimately, Manian publicly acknowledged on October 2, 2024, that he had been aware of the DPRK connections since March 2023 but failed to inform the Cosmos community before advocating for the LSM integration, raising significant concerns about transparency and security within the Cosmos ecosystem.
Cosmos Exec Calls for Accountability
Kwon called for a comprehensive audit of the LSM and full disclosure regarding the involvement of North Korean-linked developers. Additionally, the Cosmos co-founder also advocated for the Interchain Foundation to implement a blacklist of individuals and entities promoting insecure protocols, including Manian and Iqlusion.
He also stressed the need to establish audit requirements for ICF-subsidized code development and develop oversight protocols to ensure rigorous safety assessments of code before new implementations are proposed for the Cosmos Hub.
