CometBFT Blocksync Protocol Vulnerability Allows Malicious Peer to Disrupt Node Synchronization

A vulnerability in the CometBFT block synchronization protocol can be exploited by a malicious peer to disrupt a node's ability to sync blocks with others. This issue is present in CometBFT versions through 0.38.16 and 1.0.0. The vulnerability arises because the protocol does not properly validate the reported 'latest' heights from peers, allowing a node to be misled about the synchronization status and potentially causing it to attempt to catch up to an incorrect block height indefinitely.

Impact

Exploitation of this vulnerability can lead to a node becoming stuck in the synchronization process, unable to catch up to the correct block height due to misleading information from a peer.

Reproduction

To reproduce this vulnerability, a full node must be introduced into the network that first reports a non-existent 'latest' height, then reports a lower height. This can be done by modifying the node's code to send inaccurate height information. Once this node is connected to another node that is syncing via the blocksync protocol, the vulnerability will be triggered, causing the syncing node to become stuck trying to catch up to the incorrect 'latest' height.

Remediation

Users can upgrade to CometBFT versions 1.0.1 or 0.38.17, both of which address this vulnerability. Instructions for downloading these versions are available on the CometBFT GitHub Releases page.