After finding multiple critical vulnerabilities, leading blockchain security company Verichains recommended companies employing Tendermint’s IAVL proof verification to safeguard their assets and reduce exploitation risks.
A significant Empty Merkle Tree vulnerability in the IAVL proof on Tendermint Core, a well-known BFT consensus engine, has been disclosed by Verichains as part of its Responsible Vulnerability Disclosure program in a public advisory titled VSA-2022-100. The Cosmos Hub and other Tendermint-based blockchains are powered by the Tendermint Core consensus engine.
A second public advisory from Verichains is published as VSA-2022-101. Crucial IAVL Spoofing Attack through Several Vulnerabilities: From Nil to Spoof.
In the aftermath of the BNB Chain bridge attack, Verichains discovered this finding while working in October of last year. Security experts claim that a significant amount of funds might have been lost as a consequence of the serious IAVL Spoofing Attack, which was discovered through several flaws discovered in BNB Chain and Tendermint.
Due to an established working relationship, BNB Chain was informed of these results in October and promptly fixed the problem.
The Tendermint/Cosmos maintainer received a confidential disclosure at the same time, and they recognized the flaws. Nevertheless, as the IBC and Cosmos-SDK implementation had already switched from IAVL Merkle proof verification to ICS-23, a fix was not made available for the Tendermint library. Several projects are now in danger, including Cosmos, Binance Smart Chain, OKX, and Kava.
After 120 days, Verichains has notified the public in accordance with its Responsible Vulnerability Disclosure Policy. Due to the bug’s crucial nature, more bridge hacking and ensuing funds losses might, in certain situations, cost millions or even billions of dollars.
Web3 projects that are still using Tendermint’s IAVL proof verification have been warned by Verichains to enhance their security.
On a regular basis, the Verichains team publishes security flaws and vulnerabilities found via investigation and testing on the organization’s website.
