The creator of Cosmos All in Bits (AiB) recently issued an urgent alert, revealing that the Liquid Staking Module (LSM) of the Cosmos Hub poses serious security risks as it was developed by people linked to North Korea.
AiB believes that developer contributions were integrated into the Cosmos Hub without sufficient security verification, which raised alarms about potential vulnerabilities.
Developers with confirmed links to North Korea
Originally developed in 2021 under the leadership of Cosmos validator hosting company Iqlusion and its leader Zaki Manian, with contributions from Stride Labs, Binary Builders and Informal Systems, the LSM was intended to modify key Cosmos modules such as now the reframing, distribution and trimming. However, its integration into the Cosmos Hub, through Gaia, means that these vulnerabilities could potentially affect all staked ATOMs.
In an update, Cosmos co-founder Jae Kwon said AiB looked into Manian’s actions and omissions during the development and promotion of the LSM and raised serious concerns about the transparency and security of the Cosmos Hub.
The timeline of events surrounding the LSM’s development and security concerns for the Cosmos Hub reveals a number of missteps, according to Kwon.
On June 24, 2021, the Interchain Foundation (ICF) announced that Iqlusion had secured funding for ongoing work on Gaia, network upgrades, and stake derivatives. In August of the same year, Manian and Iqlusion began developing the LSM, with major contributions from Jun Kai and Sarawut Sanit, later identified as having ties to North Korea.
A critical audit by Oak Security in July 2022 discovered significant vulnerabilities, particularly with respect to slicing evasion. Shockingly, the same North Korean developers responsible for the original code were tasked with addressing these issues, undermining the integrity of the repair process.
Despite these findings, Kwon claimed that Manian communicated with the FBI in March 2023 about the developers’ ties to North Korea, but did not disclose this to the community. After that, Stride Labs attempted to improve security in April 2023, but their work largely involved porting the original code with minimal refactoring.
On April 19, 2023, a signaling proposal was submitted to integrate the LSM into the Cosmos Hub, despite unresolved security issues. This proposal progressed in several stages, leading to the integration of the LSM on September 11, 2023, which occurred 19 months after the last audit.
Finally, Manian publicly acknowledged on October 2, 2024 that he was aware of the DPRK connections since March 2023, but failed to inform the Cosmos community before advocating LSM integration, raising significant concerns about transparency and security within the Cosmos ecosystem.
Cosmos Exec calls for accountability
Kwon called for a full audit of the LSM and full disclosure about the involvement of developers linked to North Korea. In addition, the Cosmos co-founder also advocated for the Interchain Foundation to implement a blacklist of people and entities promoting insecure protocols, including Manian and Iqlusion.
He also emphasized the need to establish audit requirements for ICF-funded code development and develop oversight protocols to ensure rigorous code security assessments before new implementations are proposed for the Cosmos Hub.
SPECIAL OFFER (Sponsored) Binance Free $600 (Exclusive to CryptoPotato): Use this link to register a new account and receive an exclusive welcome offer of $600 to Binance (full details).
2024 LIMITED OFFER on BYDFi Exchange – Up to $2888 Welcome Reward, Use this link to register and open a 100 USDT-M position for free!