Full Report
The Cosmos blockchain is a popular AppChain SDK used by various blockchains like Osmosis. The main feature developer for the SDK is the Interchain Foundation. In the past 3 years, the Liquid Staking Module (LSM) was built by a third party called Iqlusion. This is where the drama is at. Iqlusion developed all of the Cosmos SDK code for the LSM portion alongside an individual named Zaki. In July of 2022, Oak Security performed a security audit of the codebase. They found a fairly bad vulnerability in the codebase that was brushed off by the developers and noted as intended design. In particular, a staker could avoid slashing by tokenizing their delegations, which is a major compromise to the security of the protocol. A year after this code was reviewed, Zaki was reached out to by the FBI (I'm serious) about the developers being linked to North Korean threat actors. For some reason, Zaki did not disclose this to anyone in the Cosmos community and continued with the project as normal. A few months after this, a proposal was made to add LSM to the Cosmos Hub. To me, this shows a major lapse in judgement from Zaki - prioritizing features and personal gain before security. Eventually, LSM was added to Cosmos Hub. This is disturbing for two reasons. First, there is a fairly bad vulnerability in the repository that was never fixed. Most of the time, auditors are willing to relent after some discussions. Given that the vulnerability was still there, it's strange that this got the move on. Second, another issue, intentionally added by the NK developers, may have been present in the codebase without anybody knowing. All of this recently came to light because of an article from CoinDesk. To me, it's scary how the code got to production without anybody flagging the security issue in the report. Additionally, how an individual didn't mention the NK developers working on this. An absolutely crazy situation. When working with this amount of money and annonimity though, these things are bound to happen. Personally, I think the article repeats itself too much for dramatic effect and calls the vulnerability "critical" when the report itself from Oak Security labels it as a high. Regardless, the write up has a lot of good links which I appreciate.
Analysis Summary
# Incident Report: Cosmos SDK Liquid Staking Module (LSM) Security and Insider Threat Concerns
## Executive Summary
A critical vulnerability existed in the Cosmos SDK Liquid Staking Module (LSM), developed by Iqlusion, which allowed tokenizers to avoid slashing—a major protocol security flaw. Adding to this, one of the core developers, Zaki, was implicated by the FBI regarding links to North Korean threat actors but failed to disclose this information to the community, allowing the vulnerable code to be integrated into the Cosmos Hub. The incident highlights severe failures in code review, disclosure, and supply chain risk management.
## Incident Details
- **Discovery Date:** July 2022 (Vulnerability discovery by Oak Security). Recent public discovery via CoinDesk article.
- **Incident Date:** Ongoing, starting from LSM development, security audit in July 2022, and subsequent integration into Cosmos Hub.
- **Affected Organization:** Cosmos Ecosystem, specifically the Cosmos Hub following the integration of LSM.
- **Sector:** Cryptocurrency/Blockchain Development (AppChain SDK).
- **Geography:** Global (Cosmos community/development).
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-July 2022 (During LSM development by Iqlusion/Zaki).
- **Vector:** Insider knowledge/Supply Chain compromise via developer contribution.
- **Details:** Iqlusion developed the LSM code, reportedly involving an individual linked to North Korean threat actors (Zaki).
### Vulnerability Identification & Dismissal
- **Date/Time:** July 2022.
- **Vector:** Formal Security Audit.
- **Details:** Oak Security performed an audit and identified a "fairly bad vulnerability" allowing stakers to avoid slashing by tokenizing delegations. Developers (including Zaki) dismissed this finding, noting it as "intended design."
### FBI Contact & Non-Disclosure
- **Date/Time:** Approximately one year after the audit (circa July 2023).
- **Vector:** Law Enforcement Inquiry.
- **Details:** Zaki was contacted by the FBI regarding potential links between the developers and North Korean threat actors. Zaki reportedly did not disclose this information to the Cosmos community.
### Feature Integration
- **Date/Time:** A few months after FBI contact (Late 2023/Early 2024, unspecified).
- **Vector:** Governance Proposal/Code Integration.
- **Details:** A proposal was made to add the LSM, including the unpatched vulnerability and potential malicious code, to the Cosmos Hub, which was eventually adopted.
### Public Disclosure
- **Date/Time:** Recent (Date not specified, referencing the CoinDesk article).
- **Vector:** External Investigative Journalism.
- **Details:** The confluence of the unpatched vulnerability and the alleged insider threat links was brought to light publicly.
### Lateral Movement
- *Not applicable in the traditional sense; the compromise lies in the software supply chain and the integration of compromised/vulnerable code into production systems.*
### Data Exfiltration/Impact
- *No direct data exfiltration is explicitly mentioned, but the impact focuses on protocol security compromise.*
### Detection & Response
- **Detection:** Oak Security audit (2022) flagged the vulnerability; FBI contact flagged the insider threat (2023); Public disclosure via CoinDesk (Recent).
- **Response actions taken:** *The provided context does not detail immediate, specific response actions taken by the Cosmos community following the public disclosure.*
## Attack Methodology
This incident appears to stem from **supply chain compromise** and **insider threat** rather than a traditional external attack targeting network infrastructure.
- **Initial Access:** Gaining control or influence over the core development team (Iqlusion/Zaki) potentially associated with state-sponsored actors (NK).
- **Persistence:** Maintaining the presence of the compromised/vulnerable code within the active development repository over a year, despite audit findings.
- **Privilege Escalation:** N/A (Focus is on code integrity compromise).
- **Defense Evasion:** Developers actively dismissing a high-severity vulnerability reported by an external auditor ("intended design").
- **Credential Access:** N/A.
- **Discovery:** Internal (Audit) and External (FBI/Journalism).
- **Lateral Movement:** N/A.
- **Collection:** N/A.
- **Exfiltration:** N/A.
- **Impact:** Introduction of a known, unpatched, critical/high-severity vulnerability into a major production blockchain (Cosmos Hub), coupled with the potential presence of intentionally malicious code inserted by NK-linked actors.
## Impact Assessment
- **Financial:** High potential risk. The unpatched vulnerability could lead to direct financial loss through slashing avoidance, undermining the security model of Liquid Staking.
- **Data Breach:** Not applicable (Code integrity/Financial security compromised).
- **Operational:** Severe risk to the integrity and security posture of the Cosmos Hub following the integration of the LSM.
- **Reputational:** Major negative impact due to the mishandling of security audit findings and the failure to disclose potential national security risks associated with developers.
## Indicators of Compromise
- **Network indicators:** None specified.
- **File indicators:** The vulnerable sections within the Liquid Staking Module (LSM) codebase.
- **Behavioral indicators:** Developers deliberately ignoring critical audit findings; failure of a core contributor to disclose contact with law enforcement regarding threat actor links.
## Response Actions
*The context provided focuses on the discovery of historical failures rather than immediate containment/eradication actions taken post-disclosure.*
- **Containment measures:** Implied next step would be immediate investigation and potential pausing/removal of the LSM from the Cosmos Hub.
- **Eradication steps:** Patching the known slashing vulnerability; thorough third-party forensic review of all code contributed by implicated developers.
- **Recovery actions:** Re-auditing the entire LSM code base and governance structures.
## Lessons Learned
- **Security Audit Veto:** A critical lesson is that auditor findings (even if labeled 'High' vs. 'Critical') cannot be dismissed by development teams as "intended design" without transparent community/governance review, especially when the finding subverts core economic disincentives (slashing).
- **Insider Threat & Disclosure:** There is a severe operational risk when core developers maintain secret contact with law enforcement regarding potential state-actor ties, failing to disclose this threat vector to the project stakeholders.
- **Supply Chain Integrity:** Rigorous vetting and ongoing monitoring of contributors to critical blockchain infrastructure are essential, particularly when dealing with high-value DeFi protocols.
## Recommendations
- Implement mandatory, multi-party sign-off protocols for overriding or dismissing vulnerabilities flagged in security audits.
- Establish clear protocols for mandatory disclosure of any contact with law enforcement or intelligence agencies concerning current or past project contributors.
- Conduct immediate, deeply scoped forensic audit of all production code paths that involved development time from the implicated individual (Zaki).