About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cosmos LSM Module Backdoor- 1517

AllInBitsPosted 1 Year Ago
  • The Cosmos blockchain is a popular AppChain SDK used by various blockchains like Osmosis. The main feature developer for the SDK is the Interchain Foundation. In the past 3 years, the Liquid Staking Module (LSM) was built by a third party called Iqlusion. This is where the drama is at.
  • Iqlusion developed all of the Cosmos SDK code for the LSM portion alongside an individual named Zaki. In July of 2022, Oak Security performed a security audit of the codebase. They found a fairly bad vulnerability in the codebase that was brushed off by the developers and noted as intended design. In particular, a staker could avoid slashing by tokenizing their delegations, which is a major compromise to the security of the protocol.
  • A year after this code was reviewed, Zaki was reached out to by the FBI (I'm serious) about the developers being linked to North Korean threat actors. For some reason, Zaki did not disclose this to anyone in the Cosmos community and continued with the project as normal. A few months after this, a proposal was made to add LSM to the Cosmos Hub. To me, this shows a major lapse in judgement from Zaki - prioritizing features and personal gain before security.
  • Eventually, LSM was added to Cosmos Hub. This is disturbing for two reasons. First, there is a fairly bad vulnerability in the repository that was never fixed. Most of the time, auditors are willing to relent after some discussions. Given that the vulnerability was still there, it's strange that this got the move on. Second, another issue, intentionally added by the NK developers, may have been present in the codebase without anybody knowing.
  • All of this recently came to light because of an article from CoinDesk. To me, it's scary how the code got to production without anybody flagging the security issue in the report. Additionally, how an individual didn't mention the NK developers working on this.
  • An absolutely crazy situation. When working with this amount of money and annonimity though, these things are bound to happen. Personally, I think the article repeats itself too much for dramatic effect and calls the vulnerability "critical" when the report itself from Oak Security labels it as a high. Regardless, the write up has a lot of good links which I appreciate.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed