Improper Verification of Cryptographic Signature Affecting github.com/tendermint/tendermint/light package, versions >=0.34.0 <0.34.9


0.0
medium
  • Attack Complexity

    High

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMTENDERMINTTENDERMINTLIGHT-2322191

  • published

    21 Dec 2021

  • disclosed

    20 Dec 2021

  • credit

    MaximilianDiez

How to fix?

Upgrade github.com/tendermint/tendermint/light to version 0.34.9 or higher.

Overview

github.com/tendermint/tendermint/light is a package that provides a light client implementation.

The concept of light clients was introduced in the Bitcoin white paper. It describes a watcher of distributed consensus process that only validates the consensus algorithm and not the state machine transactions within.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. The light client can accept a bad header from its primary witness and will not be able to form evidence of this deception, (even if all the secondary witnesses is correct). Because the light client is responsible for verifying cross-chain state for IBC, a successful attack can result in loss of funds.

**Note: ** This attack cannot be successfully executed unless there are already ⅓+ Byzantine validators, and therefore outside of Tendermint’s security model.