Verichains Reveals Blockchain Security Vulnerabilities, Urges Action

by Arthur · March 8, 2023

HO CHI MINH CITY, VIETNAM –News live– Verichains

Leading blockchain security firm Verichains has encouraged projects using IAVL-safe verification in Tendermint Core to secure its assets and reduce exploitation risk after identifying several significant vulnerabilities.

As part of its Responsible Vulnerability Disclosure Policy, Verichains has released two related public advisories, VSA-2022-100on a critical Empty Merkle Tree vulnerability in the IAVL proof and [VSA-2022-101] on a critical IAVL spoofing attack via multiple vulnerabilities on Tendermint Core.

Tendermint BFT consensus engine and Cosmos SDK are popular blockchain platforms with which many popular projects have been built, such as BNB Smart Chain (BSC), OKX Chain, Band Chain and the now defunct Terra (LUNA).

Verichains made these discoveries while performing work last October after the BNB Chain bridge was hacked. Security specialists, who identified the critical IAVL spoofing attack via several vulnerabilities found in BNB Chain and Tendermint, say it could have resulted in a significant loss of funds.

Although a private disclosure was made to the Tendermint/Cosmos maintainer and the vulnerabilities were duly acknowledged, an update was not released for the Tendermint Core library as Cosmos-SDK and IBC had already migrated to ICS-23 from IAVL Merkle proof verification .

However, due to the incredible popularity of Tendermint and the huge sums of money held by other projects, we can state that the potential scale of impact should not be taken lightly. For example, in October, BNB Chain’s Cross-Chain Bridge was exploited to illegally issue 2 million BNB, worth approximately US$566m, due to a vulnerability in IAVL RangeProof verification by Tendermint.

BNB Chain was also notified by Verichains of these findings in October at the same time due to an existing working relationship, and the issue was quickly rectified the same day. No malicious exploitation occurred and no funds were lost.

Verichains has followed its Responsible Vulnerability Disclosure Guidelines to now notify the public after the required 120 days. Verichains has urged affected Web3 projects, which are still using Tendermint’s IAVL proof verification, to upgrade their security before suffering a catastrophic loss.

Last year, a number of blockchain bridges were breached after hackers identified and exploited weaknesses. If not fixed, the critical nature of the bugs could lead to further hacks and subsequent loss of funds, which in some cases could result in millions or even billions of dollars lost.

Security flaws and vulnerabilities identified by the Verichains team during their research and testing are regularly posted on the company’s website.

About Verichains

Verichains is a leading blockchain security firm specializing in code audits, cryptanalysis, perimeter security and incident investigation. Founded in 2017, the company leverages extensive expertise in security, cryptography and core blockchain technology, and has helped investigate and fix security issues in several major global crypto hacks, including BNB Bridge and Ronin Bridge.