Cosmos may hold critical vulnerabilities, carries code injections by North Korean hackers

Cosmos (ATOM) may still hold critical vulnerabilities after inheriting code from undercover North Korean hackers posing as developers. Researchers discovered the Cosmos liquid staking module may need an overhaul, or risk exposing user funds to exploits. 

Cosmos (ATOM) may have inherited malicious code after hiring undercover North Korean hackers. The vulnerabilities may still exist in the liquid staking module, potentially exposing funds to exploits. 

The LSM building started back in 2021, headed by Zaki Manian and the Iqlusion project. Iqlusion has also received funding from the Interchain Foundation (ICF) for its activities in developing Cosmos Hub modules.

In August, two more developers joined the project – Jun Kai and Sarawut Sanit, later linked to North Korean hacking operations. Even after the code went through an audit, Kai and Sanit were the ones tasked with fixing the code. The two developers were last active until December 2022, and their affiliation was not discovered until the FBI contacted Zaki Manian with the information.

Vulnerabilities in the LSM module took years to disclose

It took years for the Cosmos community to receive the whole information on the codebase process. At some point, the known vulnerability for slashing evasion was supposedly repaired. However, the Cosmos co-founder Jae Kwon and the researchers from AllInBits claim some of the codebase has remained unchanged and may still pose a risk. 

At the same time, Zaki Manian claimed that the codebase was re-written from scratch, but still does not tie up the loose end of why the code needed to be re-written in the first place. Manian stated that the first LSM was a concept, but the rewriting took a very short time before calling for a vote. 

Cosmos community members also presented evidence that the LSM was still relying on the potentially malicious code. Even the rewrite contained significant sections taken from the contributions of the hackers posing as developers. The ATOM liquid staking module allows for malicious actions while avoiding slashing. A hacker could create value within the ecosystem, without facing a penalty on their ATOM stake. 

The last commit for the LSM was from February 2022, overlapping with the time the hackers were still involved with the code. After September 11, 2023, this version of the code already had 19 months with no audits, but was integrated into the Cosmos hub. 

The codebase was even voted in by a community proposal, without disclosing the vulnerabilities that were known at that point. The LSM was promoted through the Cosmos hub social media at a time when liquid staking projects were among the most popular crypto narratives. 

Only in October 2024 did Zaki Manian admit of the knowledge of North Korean hackers. Currently, the Cosmos Hub liquid staking continues to function, with no reported hacks, but the issue remains and researchers are urging a minimum of another audit, if not an entirely new codebase. The need for additional disclosure of risks was also raised, as the issue was suspected long before the full details of the LSM module were systematized. 

Cosmos remains safe for other chains and projects

Most of the value locked on the Cosmos Hub is allocated to liquid staking projects Stride and Stafi. However, the value at risk is relatively low at around $876K. Cosmos Hub, while trying to be a key infrastructure for DeFi and Web3, has lagged behind other projects since the 2022 market crash. 

Outside the LSM, Cosmos remains a reliable carrier for all its ecosystem projects. So far, Cosmos hosts tokens valued at more than $20B, with some of the most prominent AI projects as top assets. The biggest damage to Cosmos was its involvement with Terra (LUNA), now remaining in the form of Terra Classic (LUNC). Other value locked belongs to the additional Cosmos chains, though they are not exposed to ATOM liquid staking. 

Cosmos also hosts Celestia (TIA), as well as the recently hot Injective (INJ), among other networks and Web3 projects. The connected side chains are not directly affected based on the LSM vulnerabilities. 

Following the news, ATOM extended its slide from the past few weeks, down to $4.43. Staked ATOM is showing a significant price disparity, with Stride Staked Atom trading at $6.34.