Infiltrating Cosmos
In crypto, your private keys might be safe, but what about the hands that built your digital vault?
Welcome to the Cosmos Hub, where alleged North Korean agents didn't need to hack the system - they may have helped build it.
The Liquid Staking Module (LSM), once celebrated as a milestone in decentralized finance, now stands accused of being a potential Trojan horse.
Have the guardians of Cosmos’ decentralized future inadvertently invited the fox into the henhouse?
From private communications to public repositories, this tale of alleged infiltration cuts to the heart of blockchain's promise of transparency and trust.
In a world where GitHub commits speak louder than words, how did state-sponsored actors allegedly slip past the guardians of the galaxy?
More importantly, who was asleep at the wheel while North Korea potentially typed its way into the heart of Cosmos?
Credit: Jae Kwon, Jacob Gadikian, CoinDesk
Imagine waking up to find out your favorite DeFi project was potentially built by the world's most notorious crypto thieves.
No, this isn't the plot of the latest Netflix crypto-drama. Welcome to the Cosmos Hub's reality.
The Liquid Staking Module (LSM), once hailed as Cosmos' crowning achievement, is now at the center of a storm that makes a black hole look like a walk in the park.
North Korean developers, FBI warnings, and a whole lot of "he said, she said" - this saga has it all.
As Jacob Gadikian, a former Cosmos ecosystem figure, ominously tweeted:
"It isn't about their geography or ethnicity. The people who built the LSM are the world's most skilled and prolific crypto thieves."
We're about to take a wild ride through the cosmic clusterbleep that is the LSM controversy.
The Cosmic Unraveling: A Timeline of Chaos
August 2021: LSM development kicks off. Iqlusion, led by Zaki Manian, starts building with Jun Kai and Sarawut Sanit. Little did they know, they were potentially coding with the enemy.
July 2022: Oak Security audit drops a bomb - critical vulnerabilities in LSM, particularly around slashing evasion. The fix? Let the same devs patch their own mess. What could go wrong?
December 4, 2022: Last code merge by our mysterious North Korean developers. They exit stage left, leaving behind a digital time bomb.
March 2023: Plot twist! FBI slides into Zaki's DMs, revealing the North Korean connection. Zaki's response? Radio silence to the Cosmos community.
April 3, 2023: Enter Stride Labs, stage right. They start "working" on LSM, mainly adding security features. A rewrite, they said. More like a fresh coat of paint on a crumbling wall.
April 7, 2023: Zaki, apparently forgetting the FBI memo, pushes for LSM integration on the Cosmos Hub Forum. "It's finished," he proclaimed. (Narrator: It was not finished.)
April 19, 2023: Proposal #790 hits the chain. No mention of North Korean devs or unresolved security issues. Nothing to see here, folks!
August 25, 2023: Software upgrade Proposal #821 submitted. LSM knocking on Cosmos Hub's door.
September 2023: LSM officially joins the Cosmos Hub family. A day that will live in crypto infamy?
October 2, 2024: Zaki finally spills the beans on X. "I learned of the DPRK links in March of 2023.”
October 15, 2024: Jae Kwon drops a nuclear-grade exposé. Allegations of negligence, unresolved vulnerabilities, and calls for heads to roll. Cosmos' dirty laundry is now strung up for all to see, and it ain't pretty.
The Cosmic Cast: Key Players in the LSM Drama
Zaki Manian: The overeager conductor, pushed the LSM faster than a rocket on rocket fuel while mastering the art of selective amnesia when it came to FBI warnings.
Role: Leader of Iqlusion, LSM mastermind, and apparently, North Korea's unwitting talent scout.
Jae Kwon: The cosmic whistleblower, dropped several bombshells: LSM's vulnerabilities could put all staked ATOM at risk, demanded immediate audits, and called for blacklisting of those promoting "insecure protocols".
His whistleblowing might just shatter the Cosmos' glass house.
Role: Cosmos co-founder, LSM controversy exposer.
The Phantom Coders, Jun Kai and Sarawut Sanit: Slipped into the Cosmos ecosystem smoother than a solar wind.
They vanished after December 2022, leaving behind a potential trojan horse. The kicker? They were tasked with patching their own vulnerabilities. Talk about the fox guarding the henhouse.
Role: Crypto ninjas extraordinaire, masters of the vanishing act. These code slingers wrote the majority of the LSM, slipping into the Cosmos ecosystem smoother than a solar wind.
Houdini would be proud of their disappearing act, but the Cosmos community? Not so much.
LSM: Cosmos' Get-Out-of-Slashing-Free Card?
Imagine a crypto school where bad validators get detention (slashing), and their staker friends lose tokens too.
Now, Cosmos introduces a fancy new hall pass.
The Pitch: Stake your ATOM, get a liquid token. Attend class (secure the network) and play at recess (DeFi) simultaneously!
The Glitch: This pass might let you dodge slashing faster than you can say "blockchain".
How the Hooky Happens:
Stake ATOM, receive liquid staking tokens.
Validator misbehaving? Slashing imminent?
Quickly swap liquid tokens back to ATOM.
Watch other stakers eat the losses while you moonwalk away.
The Cosmic Headache: If slashing can be dodged, what's keeping validators in line?
In Cosmos High, this Liquid Staking Module is the hall pass that could let the cool kids run amok.
If it works, the whole proof-of-stake detention system falls apart.
And in crypto-land, that's not just a bad grade - it's potentially undermining the entire security model of Cosmos.
Here's why it matters...
Slashing is meant to keep validators honest:
If validators can dodge penalties, they might take more risks.
Risky behavior could lead to network instability or attacks.
Loss of trust could cause ATOM holders to jump ship.
In short, this "hall pass" could turn Cosmos High from a top-tier crypto academy into a chaotic playground where nobody's ATOM is safe.
Cosmic Fallout: When the ATOM Bombs Drop
The LSM revelations hit the Cosmos ecosystem like a meteor shower.
Trust in shambles: The community's faith in Cosmos leadership is shakier than a quantum particle.
Audit frenzy: Calls for code reviews are louder than a supernova explosion.
Governance gridlock: Proposals flying faster than cosmic rays as factions debate the path forward.
Brain drain threat: Some developers eyeing the escape pods, worried about hitching their wagon to a potential titanic.
Amidst the chaos, one question eclipses all others:
If the guardians of the Cosmos can't protect it from infiltration, who can users trust to secure their slice of the crypto universe?
After Tapioca's $4.4 million stumble, we're left with a familiar taste of incompetence garnished with a side of North Korean intrigue.
It's another entry in the "How Not to DeFi" handbook, where your protocol is just one compromised key away from being the next cautionary tweet thread.
The security game has leveled up, evolving from smart contract bug hunts to a twisted version of "Who's the Mole?"
While we've gotten better at auditing our code, we've forgotten to run a virus scan on our devs.
Rogue actors aren't just in our programs anymore; they're writing them.
They're in our VS Code extensions, our job applicant pools, and probably in that weird Discord server you joined last week.
At this rate, every Web3 project will have their very own pet North Korean hacker by 2025.
Forget "bring your dog to work day" - it's now "bring your state-sponsored cyber-criminal to work day."
In this crypto clown fiesta, where your next colleague could be coding for Kim Jong-un on the weekends.
Is this the cyberpunk future we were promised, or just a really elaborate phishing scam that we're all falling for?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
disclaimer:
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.