DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-C32P-WCQJ-J677: Time Lords and Consensus: The "Tachyon" Exploit in CometBFT

#security #cve #cybersecurity #ghsa

Time Lords and Consensus: The "Tachyon" Exploit in CometBFT

Vulnerability ID: GHSA-C32P-WCQJ-J677
CVSS Score: 8.1
Published: 2026-01-23

A critical logic flaw in CometBFT's consensus engine allows a malicious block proposer to manipulate the chain's timestamp (BFT Time). By exploiting a disconnect between signature verification and weight attribution, attackers can skew block time forward, disrupting time-sensitive applications like vesting, unbonding, and IBC.

TL;DR

CometBFT (formerly Tendermint) failed to strictly verify that a vote's signer matched the validator set index during block construction. A malicious proposer could exploit this to perform an "identity swap"—attributing a future-dated timestamp from a low-weight validator to a high-weight one, artificially inflating the block's weighted median time. This breaks the chronological integrity of the blockchain.

Technical Details

  • Attack Vector: Network (Proposer Role)
  • CVSS: 8.1 (High)
  • CWE: CWE-345
  • Impact: Integrity & Availability (Time Manipulation)
  • Exploit Status: PoC / Conceptual
  • Patch Date: 2026-01-23

Affected Systems

  • CometBFT (all versions < 0.37.18)
  • CometBFT (versions < 0.38.21)
  • Cosmos SDK chains using affected CometBFT versions
  • Tendermint-based consensus engines
  • CometBFT: < 0.37.18 (Fixed in: 0.37.18)
  • CometBFT: >= 0.38.0, < 0.38.21 (Fixed in: 0.38.21)

Code Analysis

Commit: bf8274f

Fix BFT Time calculation and validator address verification

func MakeBlock(...) ... ts, err := MedianTime(...)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Strict enforcement of validator address matching in commit signatures
  • Error propagation during MedianTime calculation failure
  • Input validation for CommitSig structures against the validator set

Remediation Steps:

  1. Upgrade CometBFT to version v0.37.18 or v0.38.21
  2. Coordinate upgrade with the validator set to prevent consensus forks
  3. Restart the node process with the new binary

References

Read the full report for GHSA-C32P-WCQJ-J677 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)