Interchain Labs: Former Cosmos maintainers unintentionally introduced North Korean affiliates, no security issues found and the bounty has been doubled.
PANews reported on June 16 that Interchain Labs has confirmed that an individual later identified as being connected to North Korea was employed by a former maintainer from 2022 to 2024 and contributed to the Cosmos codebase during that period. This individual had limited access to the cosmos/IAVL and cosmos/cosmos-sdk codebases, and most of the contributed code has been deprecated or excluded from the roadmap, with independent audits finding no security vulnerabilities.
To support transparency, ICL will provide a one-month double bounty for discovering vulnerabilities related to this participant's GitHub account on the Cosmos HackerOne page. After ICL took over the core stack development, new security protocols were implemented to prevent further contributions, and the person's application for a position was rejected. ICL has conducted security upgrades on all Cosmos core code repositories and will phase out the relevant code repositories in the future. This incident highlights the need for strict security procedures in the Web3 and broader technology sectors.
The content is for reference only, not a solicitation or offer. No investment, tax, or legal advice provided. See Disclaimer for more risks disclosure.
Interchain Labs: Former Cosmos maintainers unintentionally introduced North Korean affiliates, no security issues found and the bounty has been doubled.
PANews reported on June 16 that Interchain Labs has confirmed that an individual later identified as being connected to North Korea was employed by a former maintainer from 2022 to 2024 and contributed to the Cosmos codebase during that period. This individual had limited access to the cosmos/IAVL and cosmos/cosmos-sdk codebases, and most of the contributed code has been deprecated or excluded from the roadmap, with independent audits finding no security vulnerabilities. To support transparency, ICL will provide a one-month double bounty for discovering vulnerabilities related to this participant's GitHub account on the Cosmos HackerOne page. After ICL took over the core stack development, new security protocols were implemented to prevent further contributions, and the person's application for a position was rejected. ICL has conducted security upgrades on all Cosmos core code repositories and will phase out the relevant code repositories in the future. This incident highlights the need for strict security procedures in the Web3 and broader technology sectors.