Cosmos co-founder Jae Kwon has raised concerns about the integrity and security of the Cosmos Hub's liquid staking module (LSM), noting that individuals linked to Democratic People's Republic of Korea (DPRK) contributed significantly to its development.
In a Tuesday GitHub post, Kwon explained that “for sixteen months […] the LSM was developed by individuals linked to North Korea, and their contributions were integrated into the Cosmos Hub without proper security vetting.” He attributed this oversight to “gross negligence” by the Cosmos validator hosting firm Iqlusion and its leader, Zaki Manian.
Kwon's concern is presumably that DPRK-linked actors have worked towards completing a so-called “supply chain attack” on Cosmos infrastructure. In such an attack, malicious developers infiltrate projects to embed vulnerabilities in the code that can later be exploited. This is a technique that's become a trademark of DPRK hackers, as the United Kingdom's National Cyber Security Centre reported at the end of 2023.
Kwon explained that LSM's design allows “for stakers to evade slashing by tokenizing their delegations.”
Josh Lee, the co-founder of decentralized exchange Osmosis, explained in an Oct. 16 tweet that “the premise of proof-of-stake is that it is secure because there is accountability of the stakeholders.” He said this would allow an attacker to take control of the chain by holding a big enough stake without being exposed to slashing.
Manian and Iqlusion did not immediately respond to a request for comment from Decrypt.
Iqlusion and Manian began developing the LSM in August 2021 with developers Jun Kai and Sarawut Sanit. Kwon later claimed these individuals were North Korean agents and that they contributed most of the code.
lots of confusion/misinformation about the north korean LSM on the hub.
let me, the south korean, clarify things a bit
let's dig in 👇
what's the vulnerability?
aib says a lot of things, but the only key thing that really matters is the claim is that LSM provides the ability… pic.twitter.com/KjhhLejOCY
— josh lee (@dogemos) October 16, 2024
According to Kwon, Manian was aware of the involvement of individuals linked to North Korea since March 2023 as admitted on social media. Despite this, he allegedly did not disclose this information or address other unresolved security issues until earlier this month.
“Rather than taking proactive measures, such as conducting an additional audit or disclosing this issue to the Cosmos community, Zaki publicly asserted that the module was ‘ready to be deployed,'” Kwon wrote. He said Zaki's lack of transparency represents “poor judgment represents a profound breach of the trust placed in Iqlusion by the Cosmos community.”
An audit in 2022 discovered critical vulnerabilities in the LSM, which Kwon alleged were addressed by the same individuals linked to North Korea. He also claimed that the last code merge involved these contributors. Manian said he rewrote the LSM code, presumably before deployment, along with the staking firm Stride.
Kwon further asserted that since the LSM is not a standalone module, but a collection of modifications and extensions built on top of existing Cosmos staking modules, any vulnerabilities could pose significant risks to all staked ATOM tokens.
He called on the Cosmos governance community to conduct a comprehensive audit of the LSM immediately. Additionally, he urged the Interchain Foundation to implement stricter auditing requirements and develop an oversight protocol to ensure safety in new Cosmos implementations.
The news follows the United States Federal Bureau of Investigations warning last month that DPRK-linked actors were now conducting “difficult-to-detect social engineering campaigns” against those working in the crypto sector.
Edited by Stacy Elliott.