Concerns Over Cosmos Hub's Liquid Staking Module

Cosmos co-founder Jae Kwon raised alarms about the integrity and security of the Cosmos Hub's liquid staking module (LSM) in a post on Tuesday. It was previously disclosed that North Korean agents significantly contributed to the module's development.

> “For sixteen months, the LSM was developed by individuals linked to North Korea, and their contributions were integrated into the Cosmos Hub without proper security vetting,” Kwon stated, attributing this to the “gross negligence” of Cosmos validator hosting firm Iqlusion and its leader, Zaki Manian.

Manian and Iqlusion began developing the LSM in August 2021 with collaborators Jun Kai and Sarawut Sanit, the latter of whom Kwon claimed were North Korean agents. Kwon alleged they were responsible for most of the code.

Despite being aware of the North Korean involvement since March 2023, Kwon accused Manian of concealing this information as well as other security concerns until just earlier this month. “Rather than taking proactive measures, such as conducting an additional audit or disclosing this issue to the Cosmos community, Zaki publicly asserted that the module was ‘ready to be deployed,’” he stated. “Zaki’s lack of transparency and poor judgment represents a profound breach of the trust placed in Iqlusion by the Cosmos community.”

Although critical vulnerabilities were discovered in an audit of the LSM in 2022, Kwon alleged that the same North Korean agents were responsible for addressing those vulnerabilities. Manian claimed he rewrote the LSM code, presumably before its deployment, with the staking firm Stride.

Kwon further emphasized that since LSM is not a “standalone” module but a series of modifications and extensions built upon existing Cosmos staking modules, the vulnerabilities present critical risks to all staked Cosmos ATOM tokens.

He called on the Cosmos governance community to conduct an immediate and comprehensive audit of the LSM. Kwon urged the Interchain Foundation to enforce stricter auditing requirements and establish an oversight protocol to ensure safety in new Cosmos implementations.

The Block has reached out to Manian for further comments on the matter.