Verichains discloses critical blockchain security vulnerabilities
- Verichains says the risks relate to IAVL proof verification in Tendermint Core as there's no patch yet.
- The update is part of a Responsible Vulnerability Disclosure Policy, with public notified after 120 days.
- Web3 projects that still use Tendermint's IAVL proof verification should urgently upgrade their security.
Follow Invezz on Telegram, Twitter, and Google News for instant updates >
Verichains, a leading blockchain security firm, has identified significant blockchain security vulnerabilities.
In an urgent public advisory to projects in the ecosystem, the Verichains team said the vulnerabilities relate to IAVL proof verification and spoofing attacks in Tendermint Core and Cosmos. Specifically, the security risks relate to critical Empty Merkle Tree vulnerability and IAVL Spoofing Attack.
Are you looking for fast-news, hot-tips and market analysis? Sign-up for the Invezz newsletter, today.
Bugs related to Tendermint’s IAVL proof verification
The public update is part of the company’s Responsible Vulnerability Disclosure Policy, and comes after the requisite 120-day period.
According to Verichain, the identified vulnerabilities are of a “critical nature” and lack of action could see hackers exploit the bugs to cause further harm. All Web3 projects still running the IAVL proof verification on Tendermint need to move fast to secure assets and mitigate potential exploitation risks.
Per the platform, the risks were discovered in October 2022 as the team combed for vulnerabilities after a hack on a BNB Chain bridge. The verdict from security specialists was that the critical IAVL Spoofing Attack suggested multiple vulnerabilities in both BNB Chain and Tendermint. The ecosystem could have been exposed to “a significant loss of funds,” the experts noted.
While a patch was made on the BNB Chain last October, the same did not happen with the Tendermint/Cosmos maintainer. A patch to the Tendermint Core library did not happen as the Cosmos SDK and IBC had migrated from the IAVL Merkle proof verification to ICS-23.
The blockchain space has seen numerous breaches on bridges, with millions of dollars’ worth of digital assets stolen. Accordingly, Verichain specialists note that projects should not underrate the scale of any would-be breaches, given the exploit that saw BNB Chain’s Cross-Chain Bridge attacked at 2 million BNB worth over $566 million illegally issued.