Headline
GHSA-22qq-3xwm-r5x4: CometBFT allows a malicious peer to make node stuck in blocksync
Name: ASA-2025-001: Malicious peer can disrupt node’s ability to sync via blocksync Component: CometBFT Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes
Impact
A malicious peer may be able to interfere with a node’s ability to sync blocks with peers via the blocksync mechanism.
In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is syncing to the tip of a network. base acts as a lower ground and informs A that the peer only has blocks starting from height base. latest height informs A about the latest block in a network. Normally, nodes would only report increasing heights:
B: {base: 100, latest: 1000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
If B fails to provide the latest block, B is removed and the latest height (target height) is recalculated based on other nodes latest heights.
The existing code hovewer doesn’t check for the case where B first reports latest height X and immediately after height Y, where X > Y. For example:
B: {base: 100, latest: 2000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
A will be trying to catch up to 2000 indefinitely. Even if B disconnects, the latest height (target height) won’t be recalculated because A “doesn’t know where 2000” came from per see.
Impact Qualification
This condition requires the introduction of malicious code in the full node first reporting a non-existing latest height, then reporting lower latest height and nodes which are syncing using blocksync protocol.
Patches
The new CometBFT releases v1.0.1 and v0.38.17 fix this issue.
Unreleased code in the main is patched as well.
Workarounds
When the operator notices blocksync is stuck, they can identify the peer from which that message with “invalid” height was received. This may require increasing the logging level of the blocksync module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.
References
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.
Name: ASA-2025-001: Malicious peer can disrupt node’s ability to sync via blocksync
Component: CometBFT
Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2)
Affected versions: <= v0.38.16, v1.0.0
Affected users: Validators, Full nodes
Impact
A malicious peer may be able to interfere with a node’s ability to sync blocks with peers via the blocksync mechanism.
In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is syncing to the tip of a network. base acts as a lower ground and informs A that the peer only has blocks starting from height base. latest height informs A about the latest block in a network. Normally, nodes would only report increasing heights:
B: {base: 100, latest: 1000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
If B fails to provide the latest block, B is removed and the latest height (target height) is recalculated based on other nodes latest heights.
The existing code hovewer doesn’t check for the case where B first reports latest height X and immediately after height Y, where X > Y. For example:
B: {base: 100, latest: 2000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
A will be trying to catch up to 2000 indefinitely. Even if B disconnects, the latest height (target height) won’t be recalculated because A “doesn’t know where 2000” came from per see.
Impact Qualification
This condition requires the introduction of malicious code in the full node first reporting a non-existing latest height, then reporting lower latest height and nodes which are syncing using blocksync protocol.
Patches
The new CometBFT releases v1.0.1 and v0.38.17 fix this issue.
Unreleased code in the main is patched as well.
Workarounds
When the operator notices blocksync is stuck, they can identify the peer from which that message with “invalid” height was received. This may require increasing the logging level of the blocksync module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.
References
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.
References
- GHSA-22qq-3xwm-r5x4
- cometbft/cometbft@0ee80cd
- cometbft/cometbft@2cebfde