Improper Verification of Cryptographic Signature Affecting github.com/tendermint/tendermint/internal/evidence Open this link in a new tab package, versions >=0.34.0 <0.34.9


0.0
medium
  • Attack Complexity

    High

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMTENDERMINTTENDERMINTINTERNALEVIDENCE-2322190

  • published

    21 Dec 2021

  • disclosed

    20 Dec 2021

  • credit

    MaximilianDiez

Introduced: 20 Dec 2021

CWE-347 Open this link in a new tab

How to fix?

Upgrade github.com/tendermint/tendermint/internal/evidence to version 0.34.9 or higher.

Overview

github.com/tendermint/tendermint/internal/evidence is a package that handles all evidence storage and gossiping from detection to block proposal.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. The light client can accept a bad header from its primary witness and will not be able to form evidence of this deception, (even if all the secondary witnesses is correct). Because the light client is responsible for verifying cross-chain state for IBC, a successful attack can result in loss of funds.

**Note: ** This attack cannot be successfully executed unless there are already ⅓+ Byzantine validators, and therefore outside of Tendermint’s security model.