CVE-2021-21271

Name of the Vulnerable Software and Affected Versions: Tendermint Core versions 0.34.0 through 0.34.2

Description: The issue arises from the mishandling of timestamps during the consensus process in Tendermint Core, which can cause a denial of service. When double signs are observed, the consensus reactor forms DuplicateVoteEvidence, but since the current block is still "in flight" and hasn't been finalized through network consensus, different nodes may observe different "last commits" and assign different timestamps to DuplicateVoteEvidence. This results in some DuplicateVoteEvidence being considered invalid, leading to nodes proposing invalid evidence and potentially being disconnected by their peers. The bug means that double signs are denial-of-service vectors in the affected versions.

Recommendations: For Tendermint Core versions 0.34.0 through 0.34.2, update to version 0.34.3 to fix the bug. As of version 0.34.3, DuplicateVoteEvidence is no longer formed by the consensus reactor, but rather by the EvidencePool, which has consistent timestamp information across the network.