According to TechFlow, on October 16, All in Bits, a Cosmos ecosystem software development company, disclosed the source of serious security issues in the Cosmos Hub Liquidity Staking Module (LSM). The investigation found that most of the LSM code was written by developers associated with North Korea.
According to the All in Bits report, the core issues of LSM include: 1) the design flaw that allows circumvention of slashing still exists; 2) LSM is not an independent module, but a series of modifications to the existing staking, allocation and slashing modules, which may affect all staked ATOMs; 3) code changes for more than 19 months have not been audited; 4) project leader Zaki Manian and Iqlusion have misled the public about significant information; 5) Interchain Foundation (ICF), Stride Labs and Informal Systems lack transparency in the process of advancing the project.
The investigation revealed that the development of LSM began in August 2021, led by Zaki Manian and Iqlusion. However, most of the code was actually written by developers Jun Kai and Sarawut Sanit, who were later confirmed to have ties to North Korea. Although the July 2022 Oak Security audit report pointed out critical vulnerabilities, particularly those related to slashing circumvention, these vulnerabilities were not adequately addressed. In addition, Zaki Manian did not disclose this important information to the Cosmos community after learning of the developer's connection to North Korea in March 2023. Instead, he continued to push the LSM signaling proposal in April 2023, claiming that the module was "completed," an act that All in Bits identified as a material misrepresentation and serious negligence.
All in Bits recommends the following urgent measures: 1) Immediately fix the major staking vulnerability of LSM; 2) Conduct a comprehensive and immediate security audit of LSM; 3) Fully disclose the timeline of the investigation involving North Korean agents; 4) Blacklist the relevant ICF parties; 5) Develop new audit and oversight protocols for ICF-funded projects.
