Verichains, the leading blockchain security firm, has released a public advisory warning of significant vulnerabilities in Tendermint’s IAVL proof verification. Verichains has discovered multiple critical flaws in the IAVL proof. This popular BFT consensus engine could expose many Web3 projects to security breaches and significant losses.
The first public advisory, VSA-2022-100, highlights a significant Empty Merkle Tree vulnerability in the IAVL proof. In contrast, the second advisory, VSA-2022-101, reveals a critical IAVL Spoofing Attack that can be exploited through multiple vulnerabilities. Both vulnerabilities could lead to billions of dollars in losses. Verichains recommends that all vulnerable Web3 projects implement immediate security upgrades.
Verichains Discovers Serious IAVL Spoofing Attack
These vulnerabilities were discovered during Verichains’ investigation into the aftermath of the BNB Chain bridge breach. The security professionals found the IAVL Spoofing Attack while searching for weaknesses in BNB Chain and Tendermint. The team discovered several flaws, concluding that the attack could have resulted in significant losses of funds.
While BNB Chain was informed of the findings and deployed a fix immediately, Tendermint was only privately informed of the vulnerabilities. Unfortunately, the Tendermint library did not receive a spot since the IBC and Cosmos-SDK implementation had already switched to ICS-23 from IAVL Merkle proof verification. As a result, several projects are at risk, including Cosmos, Binance Smart Chain, OKX, and Kava.
Verichains follows a Responsible Vulnerability Disclosure Policy, which requires the company to wait 120 days before disclosing the vulnerability publicly. However, due to the severity of the flaw, the delay in implementing security upgrades could lead to further breaches, resulting in significant losses of funds.
Immediate Security Upgrades Recommended
Verichains’ recommendation for immediate security upgrades aims to reduce the likelihood of exploitation and protect assets of vulnerable Web3 projects. Projects using Tendermint’s IAVL-proof verification must implement these measures to avoid potentially devastating losses.
In conclusion, discovering significant vulnerabilities in Tendermint’s IAVL proof verification highlights the importance of maintaining robust security protocols in Web3 projects. The potential for substantial losses emphasizes the need for security firms such as Verichains to identify vulnerabilities and make the public aware of them. Verichains’ recommendation for immediate security upgrades is essential to prevent further breaches and protect Web3 projects from potential losses.
