Advisories for Cargo/Tendermint-Light-Client-Js package

2022

Tendermint light client verification not taking into account chain ID

Anyone using the tendermint-light-client and related packages to perform light client verification (e.g. IBC-rs, Hermes). At present, the light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client. The attack vector is …