Most of the code for the Cosmos Hub's Liquid Staking Module (LSM) was developed by North Korean agents, according to All in Bits (AiB), a prominent contributor in the Cosmos ecosystem.

The LSM's development reportedly began in August 2021, initiated by the Interchain Foundation (ICF) and spearheaded by Iqlusion, a key player in the Cosmos ecosystem and Zaki Manian. 

The project later saw collaboration with Stride Labs, Binary Builders, and Informal Systems to integrate the LSM into Gaia. However, the pivotal role played by two North Korean developers, Jun Kai and Sarawut Sanit, who contributed a majority of the code, has come under scrutiny.

Key Events:

• June 2021: The ICF announced funding for ongoing work on Gaia and staking derivatives.

• August 2021: Development of the LSM commenced, with significant contributions from North Korean developers.

• July 2022: An audit by Oak Security flagged critical vulnerabilities in the LSM, particularly regarding slashing evasion.

• March 2023: The FBI contacted Zaki Manian, revealing the North Korean links to the developers. However, this information was reportedly not disclosed to the Cosmos community.

• April 2023: Zaki promoted the LSM as “finished,” ignoring ongoing security concerns, per reports.

Flaws in the LSM Design

The LSM’s design includes a critical flaw that allows participants to evade slashing penalties, posing a risk to the entire staking ecosystem. The Oak Security audit highlighted these vulnerabilities, yet Zaki and Iqlusion promoted the LSM as complete, creating a false sense of security.

This fundamental issue contradicts the principles of proof-of-stake systems, where slashing is essential for maintaining network integrity. By framing this flaw as an intentional design feature, they allegedly misled the Cosmos community about the real risks associated with the LSM.

Call for Action

In light of these revelations, AiB called for immediate action. A comprehensive audit of the LSM is essential to assess its security and integrity. According to AiB, the Interchain Foundation should:

• Create a blacklist of individuals and entities involved in promoting insecure protocols, starting with Zaki Manian and Iqlusion.

• Establish stringent audit requirements for any code development supported by the ICF.

• Develop oversight protocols to ensure thorough safety assessments before new implementations are proposed.

• The future security of the Cosmos ecosystem depends on addressing these issues openly and transparently. The community deserves a secure network, free from hidden risks.