Verichains Calls for Action After Revealing Blockchain Security Vulnerabilities

Must read

Jeff Horseman
Jeff Horseman
Jeff Horseman got into journalism because he liked to write and stunk at math. He grew up in Vermont and he honed his interviewing skills as a supermarket cashier by asking Bernie Sanders “Paper or plastic?” After graduating from Syracuse University in 1999, Jeff began his journalistic odyssey at The Watertown Daily Times in upstate New York, where he impressed then-U.S. Senate candidate Hillary Clinton so much she called him “John” at the end of an interview. From there, he went to Annapolis, Maryland, where he covered city, county and state government at The Capital newspaper. Today, Jeff writes about anything and everything. Along the way, Jeff has covered wildfires, a tropical storm, 9/11 and the Dec. 2 terror attack in San Bernardino. If you have a question or story idea about politics or the inner workings of government, please let Jeff know. He’ll do his best to answer, even if it involves a little math.

After finding multiple critical vulnerabilities, leading blockchain security company Verichains recommended companies employing Tendermint’s IAVL proof verification to safeguard their assets and reduce exploitation risks.

A significant Empty Merkle Tree vulnerability in the IAVL proof on Tendermint Core, a well-known BFT consensus engine, has been disclosed by Verichains as part of its Responsible Vulnerability Disclosure program in a public advisory titled VSA-2022-100. The Cosmos Hub and other Tendermint-based blockchains are powered by the Tendermint Core consensus engine.

A second public advisory from Verichains is published as VSA-2022-101. Crucial IAVL Spoofing Attack through Several Vulnerabilities: From Nil to Spoof.

In the aftermath of the BNB Chain bridge attack, Verichains discovered this finding while working in October of last year. Security experts claim that a significant amount of funds might have been lost as a consequence of the serious IAVL Spoofing Attack, which was discovered through several flaws discovered in BNB Chain and Tendermint.

Due to an established working relationship, BNB Chain was informed of these results in October and promptly fixed the problem.

The Tendermint/Cosmos maintainer received a confidential disclosure at the same time, and they recognized the flaws. Nevertheless, as the IBC and Cosmos-SDK implementation had already switched from IAVL Merkle proof verification to ICS-23, a fix was not made available for the Tendermint library. Several projects are now in danger, including Cosmos, Binance Smart Chain, OKX, and Kava.

After 120 days, Verichains has notified the public in accordance with its Responsible Vulnerability Disclosure Policy. Due to the bug’s crucial nature, more bridge hacking and ensuing funds losses might, in certain situations, cost millions or even billions of dollars.

Web3 projects that are still using Tendermint’s IAVL proof verification have been warned by Verichains to enhance their security.

On a regular basis, the Verichains team publishes security flaws and vulnerabilities found via investigation and testing on the organization’s website.

Latest article

More articles