follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel . ask urgent question ONLY . Subscribe to our reddit . Altcoins Talks Shop Shop


This is an Ad. Advertised sites are not endorsement by our Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise Here Ads bidding Bidding Open

Author Topic: 'Internet of Blockchains' Platform, Cosmos Releases 'Critical Vulnerability': Re  (Read 9721 times)

Offline Mercury

  • Hero Member
  • *
  • Activity: 703
  • points:
    2635
  • Karma: 15
  • Trade Count: (0)
  • Referrals: 0
  • Last Active: May 23, 2023, 06:21:08 PM
    • View Profile

  • Total Badges: 17
    Badges: (View All)
    Fifth year Anniversary Fourth year Anniversary 10 Posts

The developers of Cosmos, a distributed ledger technology (DLT)-based platform for facilitating communication and transactions between separate blockchain networks, have published a comprehensive disclosure of a “critical security vulnerability” which was identified last month.

Vulnerability Would Have Allowed Hackers to Bypass Penalties for Malicious Conduct

The vulnerability found in Cosmos’ codebase would have allowed hackers to circumvent various penalties for misconduct on the leading blockchain interoperability network. Commenting on the nature of the critical software bug, Zaki Manian, Director at Tendermint Inc. (a for-profit commercial entity responsible for the initial development of the Cosmos platform), remarked:

The key is we want to make it really difficult to misbehave on the network and then un-stake your tokens immediately and escape the consequences of that misbehavior…like voting for something bad in governance [or] the more complex things are double signage against an exchange to potentially reverse state.

Cosmos’ decentralized, proof-of-stake (PoS)-based governance protocol has been implemented in a manner that prevents or discourages transaction validators from voting haphazardly or approving illegitimate transactions. Also referred to as block producers (BPs), the transaction validators on the Cosmos network risk losing their staked ATOM tokens if they decide to engage in dishonest behavior.

21 Day Wait Period Before Being Able to Un-Stake ATOM Tokens

In order to prevent misbehavior on the Cosmos blockchain, its developers have set a minimum wait period of 21 days - meaning that validators are not allowed to un-stake their ATOM tokens before this time period. This allows the built-in management system of the DLT-powered network to adequately determine whether the BPs are behaving appropriately.

According to Tendermint’s full disclosure report, the software vulnerability found in May 2019 would have allowed validators to bypass the required wait period before they could un-stake their ATOM tokens. Moreover, the report revealed that the software bug would have let BPs skip the “un-bonding” phase and “have their funds immediately become liquid essentially insta-unbonding.” As noted in Tendermint’s software audit report, “within the first 24 hours of [discovering] the bug ...our tooling detected ~22 events total.”

Notably, Cosmos’ mainnet went live in March 2019 - after extensive testing and development. The founders of the Cosmos project managed to raise $16 million through an initial coin offering (ICO) that took place in 2017.

Vulnerability Found in "Staking Module"

The security vulnerability described by the Tendermint team was reportedly discovered in “the staking module” of the Cosmos Software Development Kit (SDK). The blockchain interoperability platform’s SDK was first introduced in 2018, and was referred to as a “state-of-the-art” blockchain development toolkit.

Jessy Irwin, the Head of Security at Tendermint, told Coindesk that although the software bug disclosure report may be the first major vulnerability to have affected the Cosmos blockchain, “it’s not the first bug that has been reported to us.”

Irwin added:

We’ve gone through seven security audits and we’ve had multiple issues raised and then we’ve also had a pretty active bug bounty program. We’ve invested quite a bit in the past year and a half since I joined the team in creating an environment where people report bugs instead of do[ing] nothing about them.

Although the critical vulnerability has now been resolved on the Cosmos mainnet, it did require BPs to conduct an emergency hard fork (backwards incompatible upgrade). The hard fork was reportedly activated at block number 482,100 on May 31, 2019.

Source

Altcoins Talks - Cryptocurrency Forum


 

ETH & ERC20 Tokens Donations: 0x2143F7146F0AadC0F9d85ea98F23273Da0e002Ab
BNB & BEP20 Tokens Donations: 0xcbDAB774B5659cB905d4db5487F9e2057b96147F
BTC Donations: bc1qjf99wr3dz9jn9fr43q28x0r50zeyxewcq8swng
BTC Tips for Moderators: 1Pz1S3d4Aiq7QE4m3MmuoUPEvKaAYbZRoG
Powered by SMFPacks Social Login Mod