0Xnirix

**Name of the Vulnerable Software and Affected Versions** go-f3 versions 0.8.6 and earlier **Description** go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). Versions 0.8.6 and below experience a panic when validating specific "poison" messages. These messages can trigger an integer overflow in the signer index validation, potentially causing Filecoin nodes consuming F3 messages to crash. The issue is not self-propagating, requiring an attacker to directly send the malicious message to target nodes. The `signer index validation` process is susceptible to this issue. **Recommendations** Upgrade to version 0.8.7 or later to address this issue.