Name of the Vulnerable Software and Affected Versions: Tendermint versions 0.34.0 through 0.34.8

Description: The issue is related to a "forward lunatic attack" (FLA) that can be executed by a malicious validator with ⅓+ voting power, allowing them to sign commit messages for arbitrary application state associated with a block height that hasn’t been seen yet. This can lead to loss of funds, as the light client is responsible for verifying cross-chain state for IBC. However, it's noted that FLAs are only possible outside the Tendermint security model. All FLAs leave traces of provable misbehavior on-chain, and networks could use social consensus to recover. The patches introduced in Tendermint Core v0.34.9 handle all evidence automatically and on-chain.

Recommendations: For Tendermint versions 0.34.0 through 0.34.8, upgrade to Tendermint Core v0.34.9 at your earliest possible convenience.