Zero-day vulnerabilities are critical discoveries and can open the door to compromise of websites, applications, and protocols. We have recently experienced Drift and Kelp DAO attacks, and now the Cosmos ecosystem is on the agenda.
Cosmos (ATOM) vulnerability
The vulnerability was announced by p6rkdoye0n and is a type of vulnerability that can cause nodes in the Cosmos ecosystem, which protects over $8 billion in assets, to freeze during the block synchronization phase. Although it is an issue with a CVSS 7.1 (High) severity level, it cannot be said to directly endanger assets. Well Drift or Kelp DAO We are talking about something different from the incident. The vulnerability here is of a type that could disrupt the operation of the system.
The cyber security expert who identified the vulnerability wrote that he decided to announce it because it was not taken seriously.
“I have made every effort to follow the Coordinated Vulnerability Disclosure (CVD) procedure for the security of the ecosystem; however, due to their lack of cooperation and irresponsible decisions, I have decided to proceed with the disclosure.
This action is carried out in accordance with the final decision of the provider. Any security risks that arise are the sole responsibility of the provider, and therefore, in this topic I will explain both the irresponsible attitude of the provider and detailed vulnerability information.
Until a patch for the disclosed vulnerability is released, validator operators in the Cosmos ecosystem are strongly advised to avoid restarting their nodes whenever possible. This vulnerability is triggered during the block synchronization phase.
Nodes currently in consensus mode can continue to operate normally; However, if they reboot and enter the block synchronization process, exposure to a malicious peer could lead to a deadlock, making it impossible for the node to rejoin the network.”
The cyber security expert said that he also reported a more serious security vulnerability through HackerOne and explained that this was not taken seriously either.
The first report was sent on February 22, and the next day the Cosmos team declared that the attack was not feasible. The second report was sent on March 4 and was marked as spam. P6rkdoye0n, which has been repeating its warnings about the vulnerability in different ways for more than a month but has not been taken seriously, says that it will not share the attack code for now. Cosmos (ATOM) price Although it dropped to $1.77, it is not experiencing a rapid decline for now.
