PT-2024-40088 · Cometbft · Cometbft
Published
2024-02-28
·
Updated
2024-02-28
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions:
CometBFT versions All
Description:
A default configuration in CometBFT has been found to be insufficient for common use cases, potentially preventing the slashing mechanism from working in specific cases. The default values for
EvidenceParams.MaxAgeNumBlocks and EvidenceParams.MaxAgeDuration consensus parameters may not be sufficient to provide coverage for the entire unbonding period for a chain. If the conditions of both of these parameters are exceeded, evidence may be prematurely expired and considered no longer valid, potentially allowing for unpunished Byzantine behavior if evidence is discovered outside of that window.Recommendations:
It is recommended that chain ecosystems and their maintainers set the consensus parameters
EvidenceParams.MaxAgeNumBlocks and EvidenceParams.MaxAgeDuration to values appropriate for their use case.EvidenceParams.MaxAgeDurationshould exceed the duration of the chain’s unbonding periodEvidenceParams.MaxAgeNumBlocksshould exceed the number of estimated blocks that will be produced by the chain throughout the unbonding period Regularly evaluate consensus parameters and configurations to ensure they meet the needs of the ecosystem as the network matures.
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cometbft