- The Liquid Staking Module (LSM) faces critical security risks, including slashing evasion flaws.
- North Korean-linked developers were involved in LSM development, raising integrity concerns.
- Despite warnings, LSM was integrated into the Cosmos Hub without addressing key vulnerabilities.
A security review has found serious issues within the Liquid Staking Module (LSM) integrated into the Cosmos Hub. Developed by Iqlusion and led by Zaki Manian, the LSM contains critical vulnerabilities that could compromise the system’s integrity and user safety.
LSM development began in August 2021, led by Iqlusion and later supported by several other organizations, including Stride Labs and Informal Systems. In July 2022, Oak Security audited the LSM codebase and found severe vulnerabilities, especially those related to slashing evasion.
Despite these findings, the North Korean developers who wrote a significant portion of the code were put in charge of fixing the vulnerabilities, raising concerns over the integrity of the remediation process.
In March 2023, the FBI notified Zaki Manian about the developers’ ties to North Korea. Even with this knowledge, Zaki still promoted the LSM as finished in April 2023, pushing for its integration into the Cosmos Hub without disclosing the involvement of the North Korean developers or the security risks. This decision led to the approval of a proposal in April 2023 and the integration of the LSM into the Cosmos Hub in September 2023.
Core Vulnerabilities and Lack of Audits
The LSM, marketed as a secure upgrade, actually introduces features that allow slashing evasion, a critical issue highlighted in the Oak Security audit. This vulnerability allows participants to avoid penalties, weakening the proof-of-stake system’s core security mechanism.
While the developers claim this design was intentional, the persistent vulnerabilities put all staked ATOM tokens at risk, potentially impacting the broader Cosmos network.
Read also: Cosmos Hub to Enhance Security with Permissioned Smart Contracts
Moreover, the LSM’s code went unaudited for 19 months, even though changes were made during that time. The final version of the module integrated into the Cosmos Hub in September 2023 still contained unresolved issues, with most of the code being written by developers with DPRK links.
Calls for Action and Transparency
Due to the severity of the situation, industry stakeholders are demanding immediate corrective actions, including a full audit of the LSM, a thorough review of the involvement of North Korean developers, and complete transparency regarding the timeline of events.
The discovery of DPRK involvement, combined with the lack of disclosure and ongoing security risks, has raised serious questions about the governance and decision-making processes behind the Cosmos Hub’s upgrades.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.