The developer of interconnected blockchain network Cosmos (ATOM) is warning that the Liquid Staking Module (LSM) of the Cosmos Hub poses serious security risks.
In a statement, Cosmos co-founder Jae Kwon says that when developer Zaki Manian began building the LSM in August 2021, Jun Kai and Sarawut Sanit, coders who were later linked to North Korea, wrote most of the module’s code.
Kwon says the same North Korean developers also fixed the vulnerabilities identified by an Oak Security audit in July 2022.
“This not only undermined the integrity of the remediation process but also gave the potential creators of the vulnerabilities the opportunity to either fix or obscure any intentional weakness they may have introduced, potentially exposing the system to further risks.”
Kwon says that in March 2023, the FBI informed Manian about the involvement of North Korea in the project, but instead of disclosing the information to the Cosmos community, Manian announced in April 2023 that the LSM was ready to be deployed and pushed the signaling proposal to integrate the LSM into the Cosmos Hub.
By September, the LSM was integrated into the Cosmos Hub with 19 months of unaudited code changes.
Kwon says the Cosmos governance community should take immediate action, warning that the security issues with the LSM could lead to serious consequences.
“It is important to note that the LSM is not a standalone module but rather a series of modifications and extensions built on top of the existing Cosmos staking modules… Consequently, any vulnerability in Iqlusion’s LSM that impacts these core modules could potentially put all staked ATOM at risk, as liquid staking interacts directly with staked assets.”
Generated Image: Midjourney