The developers of Cosmos, a distributed ledger technology (DLT)-based platform for facilitating communication and transactions between separate blockchain networks, have published a comprehensive disclosure of a “critical security vulnerability” which was identified last month.
Vulnerability Would Have Allowed Hackers to Bypass Penalties for Malicious Conduct
The vulnerability found in Cosmos’ codebase would have allowed hackers to circumvent various penalties for misconduct on the leading blockchain interoperability network. Commenting on the nature of the critical software bug, Zaki Manian, Director at Tendermint Inc. (a for-profit commercial entity responsible for the initial development of the Cosmos platform), remarked:
The key is we want to make it really difficult to misbehave on the network and then un-stake your tokens immediately and escape the consequences of that misbehavior…like voting for something bad in governance [or] the more complex things are double signage against an exchange to potentially reverse state.
Cosmos’ decentralized, proof-of-stake (PoS)-based governance protocol has been implemented in a manner that prevents or discourages transaction validators from voting haphazardly or approving illegitimate transactions. Also referred to as block producers (BPs), the transaction validators on the Cosmos network risk losing their staked ATOM tokens if they decide to engage in dishonest behavior.
21 Day Wait Period Before Being Able to Un-Stake ATOM Tokens
In order to prevent misbehavior on the Cosmos blockchain, its developers have set a minimum wait period of 21 days - meaning that validators are not allowed to un-stake their ATOM tokens before this time period. This allows the built-in management system of the DLT-powered network to adequately determine whether the BPs are behaving appropriately.
According to Tendermint’s full disclosure report, the software vulnerability found in May 2019 would have allowed validators to bypass the required wait period before they could un-stake their ATOM tokens. Moreover, the report revealed that the software bug would have let BPs skip the “un-bonding” phase and “have their funds immediately become liquid essentially insta-unbonding.” As noted in Tendermint’s software audit report, “within the first 24 hours of [discovering] the bug ...our tooling detected ~22 events total.”
Notably, Cosmos’ mainnet went live in March 2019 - after extensive testing and development. The founders of the Cosmos project managed to raise $16 million through an initial coin offering (ICO) that took place in 2017.
Vulnerability Found in "Staking Module"
The security vulnerability described by the Tendermint team was reportedly discovered in “the staking module” of the Cosmos Software Development Kit (SDK). The blockchain interoperability platform’s SDK was first introduced in 2018, and was referred to as a “state-of-the-art” blockchain development toolkit.
Jessy Irwin, the Head of Security at Tendermint, told Coindesk that although the software bug disclosure report may be the first major vulnerability to have affected the Cosmos blockchain, “it’s not the first bug that has been reported to us.”
We’ve gone through seven security audits and we’ve had multiple issues raised and then we’ve also had a pretty active bug bounty program. We’ve invested quite a bit in the past year and a half since I joined the team in creating an environment where people report bugs instead of do[ing] nothing about them.
Although the critical vulnerability has now been resolved on the Cosmos mainnet, it did require BPs to conduct an emergency hard fork (backwards incompatible upgrade). The hard fork was reportedly activated at block number 482,100 on May 31, 2019.