The Cosmos Liquid Staking Module is facing serious security concerns due to the source code being written by developers from North Korea.
All in Bits (AiB), a Cosmos network development unit, has published a report on serious issues in the Cosmos Hub's Liquidity Staking Module (LSM) on 16/10/2024, where most of the source code was written by North Korean programmers.
Developed by Iqlusion since 2021, the LSM has undergone many changes without being audited over 19 months. Zaki Manian, the responsible developer, is accused of not being transparent about these vulnerabilities and not disclosing the involvement of North Korea, leading to risks for all staked ATOM.
Details of the incident:
1. Discovery of security vulnerabilities: The LSM module was designed to allow stakers to avoid slashing penalties, which goes against the basic principles of the proof-of-stake system. Oak Security had warned about this issue, but it has not been resolved. Zaki Manian and Iqlusion were aware of this vulnerability but still pushed for the integration of LSM.
2. Involvement of North Korean programmers: The majority of the LSM source code was developed by two programmers with links to North Korea: Jun Kai and Sarawut Sanit. Zaki Manian was aware of this since March 2023 after the FBI disclosed the information, but did not disclose it to the Cosmos community. Instead of conducting an audit, Zaki continued to push for the integration of LSM without thorough review.
3. Lack of transparency: In April 2023, Zaki proposed the integration of LSM without disclosing the security risks or the involvement of North Korean programmers. The LSM project was unanimously supported by ICF, Iqlusion, Stride Labs, and Informal Systems, even though the source code still contained many unaudited vulnerabilities.
4. FBI intervention: The FBI warned about the North Korean involvement in March 2023, but Zaki did not act promptly. The LSM source code was not audited for 19 months before being integrated into the Cosmos Hub, putting the entire community at risk.
5. Recommendations by All in Bits: All in Bits recommends immediately conducting a comprehensive audit of the LSM, along with transparency regarding the North Korean programmers. They also propose blacklisting the involved parties and establishing a more stringent oversight process for projects funded by the ICF.