Verichains warns Cosmos, BSC, OKX projects of serious security flaws

After the discovery of multiple critical vulnerabilities, the industry-leading blockchain security company Verichains has recommended projects using Tendermint’s IAVL proof verification to take measures to protect their assets and reduce the likelihood of being exploited. 

Verichains has provided a public advisory, VSA-2022-100, about a significant Empty Merkle Tree vulnerability in the IAVL proof on Tendermint Core, a prominent BFT consensus engine, per the information shared with Finbold on March 8.

In October of last year, Verichains discovered this finding when they were working in the aftermath of the BNB Chain bridge breach. The serious IAVL Spoofing Attack was discovered by security professionals who were looking for weaknesses in BNB Chain and Tendermint. They uncovered many flaws, which led them to the conclusion that the attack may have led to a major loss of funds. Due to a preexisting working partnership, BNB Chain was informed of these results in October and immediately deployed a fix. 

All at once, the Tendermint/Cosmos maintainer was privately informed of the flaws, and they were recognized. Tendermint library, however, did not get a fix since the IBC and Cosmos-SDK implementation had already switched to ICS-23 from IAVL Merkle proof verification. At the moment, several projects are at risk. Among these projects include Cosmos, Binance Smart Chain, OKX, and Kava

BNB Chain informed of findings

A second public advisory, designated as VSA-2022-101, has also been issued by Verichains From Nil to Spoof – Critical IAVL Spoofing Attack via Multiple Vulnerabilities. 

This was done as part of its Responsible Vulnerability Disclosure initiative. The Cosmos Hub and all other blockchains that are built on Tendermint are powered by a consensus engine called Tendermint Core.

According to Verichains’ Responsible Vulnerability Disclosure Policy, the company waited 120 days before making the vulnerability public. Due to the severity of the flaw, it’s possible that further bridges may be hacked, resulting in additional lost payments, which might amount to hundreds of millions, or perhaps billions, of dollars. 

As a result, Verichains has recommended that any vulnerable Web3 projects that rely on Tendermint’s IAVL-proof verification implement immediate security upgrades. 

Once discovered, the Verichains team promptly discloses the vulnerabilities and security holes it has found to the public through the company’s site.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Comments

No comments to show.
New Bookmakers
Playfina.com

The newest member of DAMA N.V. family offers more than 6000 games and accepts a wide range of cryptocurrencies, which are arguably the most widely used form of payment for gamblers right now.

Cryptoplay.io

In the year 2021, Cryptoplay Casino went live for the first time. To bitcoin enthusiasts, the online gaming site offers an amazing game library, exclusive bonuses, and promotions.

CryptoGames

Since its inception in 2014, this crypto casino has amassed a sizable following and an even stronger reputation. This all-crypto casino has 8 Provably Fair games, a faucet, and the ability to utilize one of ten cryptocurrencies.

PlayAmo

In general, if you're looking for information on the PlayAmo casino's features and idiosyncrasies, you'll find it here.

Oshi

Oshi Casino is a bitcoin casino with a simple instant-play interface that accepts euro deposits as well as other cryptocurrencies like Ethereum.