HO CHI MINH CITY, VIETNAM | March 08, 2023 08:54 AM Eastern Standard Time

Leading blockchain security firm Verichains has urged projects using IAVL proof verification in Tendermint Core to secure their assets and mitigate exploitation risks after identifying several significant vulnerabilities.

As part of its Responsible Vulnerability Disclosure Policy, Verichains has released two related public advisories,, on a critical Empty Merkle Tree vulnerability in the IAVL proof and  on a critical IAVL Spoofing Attack via multiple vulnerabilities on Tendermint Core.

Tendermint BFT consensus engine and Cosmos-SDK are popular blockchain platforms with which numerous popular projects have been built, such as BNB Smart Chain (BSC), OKX Chain, Band Chain, and the now defunct Terra (LUNA).

Verichains made these discoveries while carrying out work last October after the BNB Chain bridge was hacked. Security specialists, who identified the critical IAVL Spoofing Attack via multiple vulnerabilities found in BNB Chain and Tendermint, say it could have resulted in a significant loss of funds.

Although a private disclosure was made to the Tendermint/Cosmos maintainer, and the vulnerabilities duly acknowledged, a patch was not released for the Tendermint Core library as the Cosmos-SDK and IBC had already migrated to ICS-23 from IAVL Merkle proof verification.

However, due to the incredible popularity of Tendermint and the enormous sums of money held in by other projects, we can ascertain that the potential scale of impact should not be taken lightly. For example, in October, the BNB Chain's Cross-Chain Bridge was exploited to illegally issue 2m BNB, worth approximately US$566m, due to a vulnerability in IAVL RangeProof verification of Tendermint.

BNB Chain was also notified by Verichains of these findings in October simultaneously due to an existing working relationship, and the issue was swiftly patched on the same day. No malicious exploitation occurred, and no funds were lost.

Verichains has followed its Responsible Vulnerability Disclosure Policy to now notify the public after the requisite 120 days. Verichains has urged affected Web3 projects, still using Tendermint's IAVL proof verification, to upgrade their security before suffering a catastrophic loss.

Last year, numerous blockchain bridges were breached after hackers identified and exploited weaknesses. If not fixed, the critical nature of the bugs may lead to further hacks and consequent loss of funds, which in some cases could result in millions or even billions of dollars lost.

Security flaws and vulnerabilities identified by the Verichains team during its research and testing are regularly posted on the company's website.

About Verichains

Contact Details

Dan Edelstein