Name: ISA-2025-003: Malicious validator can spoof votes from other validators Component: tendermint-rs Criticality: High (Catastrophic Impact; Rare Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION MATRIX.md)) Affected versions: <= v0.40.2 Affected users: Everyone

tendermint-rs contains a critical vulnerability in its light client implementation due to insecure handling of corrupted validator sets. Because it doesn't check that the validator address is correctly derived from the validator's public key when counting votes, it is possible to spoof votes from other validators. The result is being able to construct the malicious block and cheat the light client. The light client will accept such a block, seemingly signed by 2/3+ majority.

The new tendermint-rs release v0.40.3 fixes this issue.

Unreleased code in the main branch is patched as well.

There are no known workarounds for this issue.

This issue was reported by Felix Wilhelm from Asymmetric Research.