Least Authority Performs Security Audit of the Cosmos Blockchain SDK Framework

Least Authority performed a security audit of the Cosmos Blockchain SDK, a framework for building Proof of Stake state machines. The investigation and analysis were conducted by Emery Rose  Hall and Ramakrishnan Muthukrishnan, along with project management support by Hind Abu-Amr, in collaboration with Tendermint team members Jessy Irwin, Zaki Manian, Christopher Goes, and Jack Zampolin.

In order to facilitate high level review of the project and a more nuanced review of particular features, Least Authority and Tendermint approached this audit from a time-boxed perspective – allowing both team’s collaborative efforts, Tendermint’s development progress, and Least Authority’s investigative findings to guide the review. Least Authority focused primarily on review of the BaseApp, which defines the foundational implementation for a basic ABCI application. In addition, the team closely investigated tooling for a chain initialization process, state and transactions documentation, the auth and bank module specification, the F1 Fee Distribution Module, and Tombstone. The goal was to review high priority areas of concern as directed by the Tendermint team and to discover more obvious issues, with the understanding that the time limit prevented a more comprehensive evaluation and elimination, such as reviewing the game theory aspects of the consensus algorithms.

The audit took place from January 7 – 22, 2019, and the initial audit report was issued on January 23, 2019. A final report was produced on February 22, 2019, following discussions, recommended updates made to the Cosmos SDK by the Tendermint team, and a final verification performed by Least Authority.