After the discovery of multiple critical vulnerabilities, the industry-leading blockchain security company Verichains has recommended projects using Tendermint’s IAVL proof verification to take measures to protect their assets and reduce the likelihood of being exploited.
Verichains has provided a public advisory, VSA-2022-100, about a significant Empty Merkle Tree vulnerability in the IAVL proof on Tendermint Core, a prominent BFT consensus engine, per the information shared with Finbold on March 8.
In October of last year, Verichains discovered this finding when they were working in the aftermath of the BNB Chain bridge breach. The serious IAVL Spoofing Attack was discovered by security professionals who were looking for weaknesses in BNB Chain and Tendermint. They uncovered many flaws, which led them to the conclusion that the attack may have led to a major loss of funds. Due to a preexisting working partnership, BNB Chain was informed of these results in October and immediately deployed a fix.
All at once, the Tendermint/Cosmos maintainer was privately informed of the flaws, and they were recognized. Tendermint library, however, did not get a fix since the IBC and Cosmos-SDK implementation had already switched to ICS-23 from IAVL Merkle proof verification. At the moment, several projects are at risk. Among these projects include Cosmos, Binance Smart Chain, OKX, and Kava.
BNB Chain informed of findings
A second public advisory, designated as VSA-2022-101, has also been issued by Verichains From Nil to Spoof – Critical IAVL Spoofing Attack via Multiple Vulnerabilities.
This was done as part of its Responsible Vulnerability Disclosure initiative. The Cosmos Hub and all other blockchains that are built on Tendermint are powered by a consensus engine called Tendermint Core.
According to Verichains’ Responsible Vulnerability Disclosure Policy, the company waited 120 days before making the vulnerability public. Due to the severity of the flaw, it’s possible that further bridges may be hacked, resulting in additional lost payments, which might amount to hundreds of millions, or perhaps billions, of dollars.
As a result, Verichains has recommended that any vulnerable Web3 projects that rely on Tendermint’s IAVL-proof verification implement immediate security upgrades.
Once discovered, the Verichains team promptly discloses the vulnerabilities and security holes it has found to the public through the company’s site.