Improper Verification of Cryptographic Signature Affecting github.com/tendermint/tendermint/internal/evidence Open this link in a new tab package, versions >=0.34.0 <0.34.9
Attack Complexity
High
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-GITHUBCOMTENDERMINTTENDERMINTINTERNALEVIDENCE-2322190
-
published
21 Dec 2021
-
disclosed
20 Dec 2021
-
credit
MaximilianDiez
Introduced: 20 Dec 2021
CWE-347 Open this link in a new tabHow to fix?
Upgrade github.com/tendermint/tendermint/internal/evidence to version 0.34.9 or higher.
Overview
github.com/tendermint/tendermint/internal/evidence is a package that handles all evidence storage and gossiping from detection to block proposal.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. The light client can accept a bad header from its primary witness and will not be able to form evidence of this deception, (even if all the secondary witnesses is correct). Because the light client is responsible for verifying cross-chain state for IBC, a successful attack can result in loss of funds.
**Note: ** This attack cannot be successfully executed unless there are already ⅓+ Byzantine validators, and therefore outside of Tendermint’s security model.