- Verichains has identified several significant vulnerabilities on Tendermint Core
- Projects using IAVL proof verification in Tendermint Core are advised to secure their assets to mitigate exploitation.
- Many popular projects including BNB Smart Chain (BSC) are built on Tendermint
Leading blockchain security firm Verichains has identified several significant vulnerabilities in Tendermint Core and as part of its Responsible Vulnerability Disclosure Policy has released two public advisories.
The first advisory titled VSA-2022-100 discusses a critical Empty Merkle Tree vulnerability in the IAVL proof. The second advisory is titled VSA-2022-101 and discusses a critical IAVL Spoofing Attack via multiple vulnerabilities on Tendermint Core.
Verichain advises that projects using IAVL-proof verification in Tendermint Core should secure their assets to mitigate exploitation risks.
Linked to recent BNB Chain bridge hack
Tendermint BFT consensus engine and Cosmos SDK are popular blockchain platforms that are used by several popular blockchain projects including the now defunct Terra (LUNA), Band Chain, OKX Chain, and BNB Smart Chain (BSC).
Verichains indicated that it discovered the Tendermint Core vulnerabilities while working on the BNB Chain bridge hack that took place in October last year. Security specialists, who identified the critical IAVL Spoofing Attack via multiple vulnerabilities found in BNB Chain and Tendermint, say it could have resulted in a significant loss of funds.
However, although the vulnerabilities were disclosed to the Tendermint/Cosmos maintainer, no patch was released for the Tendermint Core library since the Cosmos-SDK and IBC had migrated from IAVL Merkle proof verification to ICS-23.
Verichains Responsible Vulnerability Disclosure Policy
Verichains followed its Responsible Vulnerability Disclosure Policy to notify the public after the requisite 120 days. If not fixed, the critical nature of the bugs may lead to further hacks and consequent loss of funds, which in some cases could result in millions or even billions of dollars lost.
Verichains regularly posts the Security flaws and vulnerabilities that it identifies on its website for public consumption.