Photo credit: Markus Spiske/Pexels

The Cosmos community has been rocked by revelations that North Korean-linked developers contributed to the Liquidity Staking Module (LSM), a critical feature of the Cosmos Hub’s ecosystem. 

A detailed assessment by All in Bits (AiB) sheds light on the security vulnerabilities introduced during the module's development, alongside concerns about transparency from key figures, including Zaki Manian and Iqlusion.

The LSM's development began in August 2021, initiated by the Interchain Foundation (ICF) and led by Zaki Manian’s Iqlusion team. Contributions to the project were made by developers Jun Kai and Sarawut Sanit, who were later discovered to have links to North Korea. 

Despite an audit in July 2022 by Oak Security identifying critical vulnerabilities—particularly regarding slashing evasion—these North Korean developers were tasked with addressing the flaws.

According to the analysis, a fundamental design flaw within the LSM, discovered during the Oak Security audit, allowed stakers to evade slashing penalties—shifting the risk to other network participants. 

Despite this vulnerability contradicting the core principles of a proof-of-stake system, the flaw was framed as an “intentional design goal” by Zaki and Iqlusion. This justification has been called into question as it undermines the network's overall security and exposes staked assets to significant risks.

AiB claims the involvement of North Korean developers in the LSM’s development has prompted demands for greater accountability within the Cosmos ecosystem. 

The failure to address the vulnerabilities identified in the audit, coupled with the decision to allow the same developers to fix these issues, has cast doubt on the module’s security. Community members are calling for a comprehensive audit of the LSM and increased oversight for future developments funded by the ICF.