Wednesday, February 19, 2025

Critical Vulnerability in CometBFT’s Vote Extensions Patched After Discovery by Omni Labs

Share

KEY TAKEAWAYS

  • Omni Labs identified a critical vulnerability in CometBFT’s Vote Extensions, which could halt Cosmos chains.
  • The flaw allowed malicious nodes to crash validators by sending malformed Vote Extensions.
  • A patch was released to introduce validation checks, ensuring network stability and security.
  • This incident underscores the need for rigorous validation and error handling in blockchain protocols.

In October 2024, a critical vulnerability was identified in CometBFT, specifically within the implementation of ABCI 2.0’s Vote Extensions. The flaw, discovered by Omni Labs team member Corver, has been patched and publicly disclosed in the GitHub Security Advisory GHSA-p7mv-53f2-4cwj.

If exploited, the vulnerability could allow a malicious actor to halt any Cosmos chain with Vote Extensions enabled. CometBFT is a Byzantine Fault Tolerant (BFT) consensus engine used in building blockchains, particularly those developed with the Cosmos SDK. ABCI 2.0, the Application Blockchain Interface, facilitates communication between the consensus and application layers in CometBFT, introducing features like Vote Extensions.

Discovering the Vulnerability

Omni Labs operates multiple environments for development and testing, including a staging environment that mirrors real-world conditions. During routine testing, Corver synced a third validator to the staging environment, which later revealed the vulnerability. The issue arose when the third validator, from a previous instance of staging, connected to a new instance and began sending malformed Vote Extensions.

These malformed Vote Extensions referenced a non-existent ValidatorIndex, causing recipient validators and full nodes to crash. The vulnerability allowed any full node to send a malicious pre-commit message with an invalid vote extension, potentially crashing validators or full nodes.

The Impact and Mitigation

The vulnerability posed a significant risk to any Cosmos or CometBFT chain using vote extensions. An attacker could operate a malicious full node, broadcast invalid pre-commit messages, and cause network disruptions. Affected systems included protocols like Skip’s Slinky oracle and dYdX v4, which secures $350 million in Total Value Locked (TVL).

Upon discovery, the issue was reported to the CometBFT development team, who promptly released a patch. The patch introduced additional validation checks within the VerifyVoteExtension method to ensure malformed Vote Extensions are safely rejected.

Lessons Learned

This incident highlights the importance of rigorous validation and robust error handling in protocol development. It serves as a reminder that peer-to-peer messages should never be trusted without verification, and malformed data should fail gracefully to maintain network stability.


Disclaimer: The views expressed in this article are those of the authors and do not necessarily reflect the official policy of CoinsHolder. Content, including that generated with the help of AI, is for informational purposes only and is not intended as legal, financial, or professional advice. Readers should do their research before taking any actions related to the company and carry full responsibility for their decisions.
Sharif
Sharif
Sharif is a seasoned software engineer with a decade of experience in the tech industry, including 8 years in cryptocurrency and blockchain. With deep knowledge of decentralized technologies, Sharif offers insightful analysis and expert commentary on the transformative potential of blockchain. Through CoinsHolder.com, he shares his expertise, making him a respected voice in the cryptocurrency community.

Read more

Related Articles