PT-2023-33029 · Cometbft · Cometbft
Published
2023-09-29
·
Updated
2023-09-29
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
CometBFT versions prior to the next release of each branch
Description
A default configuration in CometBFT has been found to be large for common use cases, which may affect block times and consensus participation when fully utilized by chain participants. This issue may have a slight impact on block latency depending on a network’s topography. The
BlockParams.MaxBytes consensus parameter should be set according to the specific needs of each chain. Chains are encouraged to evaluate the impact of having proposed blocks with the maximum allowed block size, especially on bandwidth usage and block latency. The timeout propose parameter should be computed using the maximum allowed block size as a reference.Recommendations
To mitigate this issue, chain ecosystems and their maintainers should:
- Set a
BlockParams.MaxBytesconfiguration appropriate for their use case at the application level. - Evaluate how gas is used and required on their chain, including gas and fee parameters, and ensure that any custom modules integrate with the gas and fee frameworks.
- Audit all of their currently-set parameters and configurations to ensure that they are appropriate for their use case.
- Develop and implement anti-spam measures on their nodes.
- Consider developing and implementing tooling that would allow them to sample incoming transactions to enable them to fine-tune the level of service they would like to provide to be resilient in slowdown scenarios.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cometbft