Josh Cincinnati

I'm posting a response on behalf of Cosmos Labs. This is not a security vulnerability. However, it is a bug that the team will address in due course. There’s no risk to consensus, liveness, or funds as a result of this bug. Furthermore, the reported behavior only shows up if a validator uses block sync with an untrusted peer. Once synced, the nodes will perform as expected, even with malicious peers. When closing the report, we asked the submitter to open a public issue on GitHub, so it can be tracked properly. We'll fix it as part of our regular bug process. Separately, the same researcher had another report that got flagged as spam by our spam filtration system. We’ve reopened the report, and it’s actively being reviewed. More generally, AI is changing the way that bug bounty programs must operate. Researchers armed with AI tools are submitting massively more valid and invalid submissions to our program than ever before. Our program has seen a 900% increase in submission volume from last year, on the order of 20–50 a day. As a result, we're working hard to adapt our approach in this new landscape in a number of ways: 1. Training agentic reviewers on real, verified reports and deploying them in production 2. Tightening how we score submissions 3. Prioritizing trusted researchers with proven track records 4. Working with other bug bounty providers that offer more advanced triaging and permissioning features than HackerOne Since Cosmos Labs took over the program, response times and triage quality have improved significantly, showing an over 50% improvement in vulnerability resolution time in spite of the increased submission volume. We appreciate the reports and the patience as we keep tightening things up.

As the year comes to a close, I want to call out where we are as an industry, and what Cosmos Labs has accomplished over this year. It’s worth noting that token prices for non-majors are down across the board. This is tough to end the year like this. That said, I think token prices are a distraction from what’s actually going on behind the scenes: we are at a time in our industry when institutional interest, and government enablement, is at an all time high. In so many ways, this is a great time to build in crypto, because we have more real buyers (companies) with real budgets, and very little froth. To me, this is a huge opportunity. But alas, the market has changed. Tokens without revenue are being treated as, well, tokens without revenue. The DAT cash injection may have saved some majors, but across the board, the standard for most investors to buy an asset has increased. At Cosmos, we realized this sooner than most. Although an institutional focus is now the GTM for many of the L2s, and major L1s, we started working on our enterprise GTM (a) midway though this year and (b) with a stack that’s already well adopted by institutions and wins on its own merit. The way we got here was reading the writing on the wall about launching a retail-facing ecosystem at a time in crypto where almost every new ecosystem has fallen flat in its face. We couldn’t let this happen to Cosmos. We made the pivot in May/June. In my view, by not going down this path, we saved the ecosystem 100s of millions of dollars, and saved our treasury to be in a very strong position for years to come. What we stepped into were hard problems - but they are the problems that are worth solving, and with real customers on the other end that Cosmos technology can truly help. We’ve done a tremendous amount of research on banks, and realized their core systems - fundamentally ledgers - are old, slow, and holding them back. We’ve gone deep on inefficiencies with some of the largest payment networks in the world. Many of the problems financial companies have - fraud, payments, middle men, networks of trust - Cosmos is well positioned to solve, just on pure features. And we’ve spent the past 6 months iterating on these theses, building demos, and working on design partnerships. On the other hand, enterprise sales and development cycles are LONG. The conversations we started in June are still progressing. Usually, processes involve NDAs, scoping, RFP processes, and MSAs. Each of these take months - which is intentional because the customers handle more money than all DeFi pools in crypto combined. It’s a totally different ball game, and it’s hard + slow. But we are making progress. Naturally, this progress will take much longer to be baked enough to share publicly. That’s just the way it is working with institutions. I am learning this too, and it’s very different from the “announce every good thing that’s happened when it’s happened” attitude that I had at Skip before we were acquired. But we push forward nonetheless. I feel tremendously proud of the work we’ve done at Cosmos Labs this year, and feel optimistic about the progress we’ve made. We’ve made the stack faster, expanded IBC to every ecosystem, and finally given Cosmos an EVM that works and is free to use. This was on top of doing an acquisition, reforming the development structure of the behemoth we call Cosmos at every level. We are leaner, organized, and can move quickly. We appreciate everyone who has adopted the technology - and contributed back. Next year, the focus will be on turning our current conversations into deals, and deals into products. I imagine the Cosmos stack will look very different, and personally couldn’t be more excited to get to work on the largest network of interconnected blockchains - over 200! - on the planet. I wish everyone a restful and happy holiday, and thanks for being with us on the journey. It’s just the beginning.