- The company waited 120 days before making the vulnerability public.
- Verichains urges all vulnerable projects to immediately upgrade their security system
Verichains company specializing in blockchain security released warning about a vulnerability in the AVL Tendermint Core consensus confirmation mechanism. The firm recommended that projects that use Tendermint take steps to protect their assets and reduce the likelihood of their exploitation.
While investigating this vulnerability, the company discovered other issues. A serious IAVL Spoofing Attack was found by security experts looking for weaknesses in BNB Chain and Tendermint. They found many flaws, which led them to conclude that the attack could have resulted in a large loss of funds. BNB Chain was informed of these results in October and immediately rolled out fixes.
Verichains issued a warning to Tendermint/Cosmos maintainers in early October 2022. Although they acknowledged the vulnerabilities, they decided not to release a patch in the Tendermint library. Several projects are at risk because of this, including Cosmos, Binance Smart Chain, OKX, and Kava.
Due to the critical nature of the error, breaching the bridge and subsequent loss of funds can cost millions or even billions of dollars in certain situations. Web3 projects that still use Tendermint’s IAVL proof check have received a warning from Verichains to tighten their security.