Open in app

Sign in

Write

Sign in

Cosmos Hub Security Vulnerability regarding Redelegation and Unbonding

Node A-Team
Node A-Team
Published in
2 min readMay 31, 2019

Delegators have to wait 21 days to completely unbond their Atoms on Cosmos Hub. But a if a delegator uses ‘redelegate’, they could bond their Atoms to a different validator immediately, and from a same validator, 7 times of redelegation is possible.

But a system vulnerability was found, which could bypass the rules of unbonding period. If a malicious user redelegates to a validator who is outside of the list of 100 validator (let’s say a validator from bonded stake rank 102), and then try to unbond from the validator. Then, due to the vulnerability, 21 days of unbonding period is skipped, and malicious user could successfully exploit this vulnerability in their advantage.

Jack Zampolin from Cosmos team shared a simple program which finds transactions, which might be involved in using this critical vulnerability of the network. By testing with this program, we were able to find that 7,250 Atoms have been unbonded by using this vulnerability for the benefit of self. Approximately, considering that an Atom is about $6, about $43,500 Atoms were unbonded using the malicious method above.

It is never a welcoming news to hear about critical system vulnerability which could hurt the network, but the bug was found in a early stage, preventing Cosmos Network from any damage. Through the finding of this vulnerability, validators got a good experience of how to cooperate and act quickly upon emergency situations.

Due to the possibilities of this vulnerability leading to malicious actors increasing, validators were not able to disclose the details above before the update was in effect.

Node A-Team (Moniker: ATEAM) is a Cosmos-SDK and Tendermint-based Blockchain Validator, which currently participates in Cosmos, IRISnet and Terra. Based on the knowledge and experience gained from various testnets and mainnet, Node A-Team contributes to Cosmos Ecosystem and operates highly secure nodes.

> ATEAM History
— Cosmos: “Game of Stakes” — Never Jailed
— IRISnet: “FUXI Betanet” — Reward Winner
— Terra-project: “Genesis Drill” — Top Tier

[ATEAM Validator Address: cosmosvaloper14l0fp639yudfl46zauvv8rkzjgd4u0zk2aseys]

Webpage: https://nodeateam.com/

Twitter: https://twitter.com/Node_Ateam

E-mail: contact@nodeateam.com

Blockchain Technology

--

--

Node A-Team
Node A-Team

Written by Node A-Team

50 Followers
Editor for

Cosmos Validator based in South Korea. “Never Jailed” winner of Game of Stakes. https://nodeateam.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams