ICF and ICL with @asymmetric_re, @_SEAL_Org, @regen_network, and @binary_builders published a joint report on a former malicious contributor to Cosmos repositories. The report confirmed that there are no immediate or future risks to the Cosmos stack.

The investigation identified the malicious actor as an engineer employed by former core-stack maintenance vendors between 2022 and 2024, prior to the formation and takeover of ICL as the core Cosmos stack developer. This incident was contained through structural reforms. After consolidating Cosmos development under ICL, and with the launch of extensive security upgrades with @asymmetric_re, including access audits, centralized permissions, code re-audits, and general hardening of development and organizational security practices. This hardening immediately proved useful, as the actor was re-identified as a job applicant and rejected. With full support from AR, Regen, and Binary, all linked commits and binaries were reviewed in depth. No malicious code or attack vectors were found. Reviews concluded that nearly all SDK code authored by this actor had already been deprecated or excluded from the roadmap during ICL’s post-reorg transition, especially following the cancellation of SDK v2. In the case of IAVL, no risks or vulnerabilities were found after extensive multi-party independent audits. Regardless of the fact, the ICL team will be completely deprecating the codebase through our already planned release of IAVL v2, which is a full rewrite of the codebase.

The full report is available here:

These threats are constant across the Web3 ecosystem. That is why it's important to share findings to help improve baseline security. ICL implemented contributor KYC, GitHub rule sets, removal of legacy access, and stronger infrastructure separation, among other measures.

Interchain Labs will continue re-auditing, re-reviewing, and reinforcing layered defenses. To support a broader review, @Hacker0x01 bounties have been doubled for one month for any valid issues linked to the contributor's commits.

We thank Asymmetric Research, SEAL, Binary, and Regen for their fast responses. The fast containment and clearing of this incident was another good test of our recently reimplemented security policies, validating our investment in proactive security.