Verichains flags critical vulnerabilities in Tendermint Core

Verichains specialists identified several critical vulnerabilities in the АВЛ-дерева-based consensus mechanism of the Tendermint Core protocol. ForkLog reported this to company representatives.

In October 2022 the cross-chain bridge BNB Chain was hacked. As a result of the exploit, the attacker illicitly issued tokens worth more than $544 million. The hacker exploited a bug in the codebase that represents its own iteration of a Tendermint solution.

During the analysis of the incident, Verichains staff identified a number of other issues. They said the vulnerabilities could enable a spoofing attack that could lead to “significant loss of funds”.

“Tendermint Core is the consensus engine that powers the Cosmos Hub and other blockchains built on the protocol,” the specialists reminded.

As a result, projects such as OKX and Kava were put at risk.

Experts warned the BNB Chain team, which swiftly rolled out fixes.

The Tendermint and Cosmos developers also acknowledged the vulnerability. However, they did not issue a patch for the library, since the SDK already had another proof mechanism implemented.

Verichains urged Web3-projects using the Tendermint solution to fix the code themselves.

“The critical nature of the bug could lead to further bridge hacks and losses of funds in the millions or even billions of dollars,” the experts warned.

As noted, in 2022 the Web3 industry faced losses from 167 major attacks was around $3.6 billion.