GHSA-c32p-wcqj-j677: CometBFT has inconsistencies between how commit signatures are verified and how block time is derived
Name: CSA-2026-001: Tachyon
Criticality: Critical (Catastrophic Impact; Possible Likelihood per ACMv1.2)
Affected versions: All versions of CometBFT
Affected users: Validators and protocols relying on block timestamps
A consensus-level vulnerability was discovered in CometBFT’s “BFT Time” implementation due to an inconsistency between how commit signatures are verified and how block time is derived.
This breaks a core BFT Time guarantee: “A faulty process cannot arbitrarily increase the Time value.”
References
- github.com/advisories/GHSA-c32p-wcqj-j677
- github.com/cometbft/cometbft
- github.com/cometbft/cometbft/commit/bf8274fcdbcab2bc652660ae627196a90a6efb97
- github.com/cometbft/cometbft/releases/tag/v0.37.18
- github.com/cometbft/cometbft/releases/tag/v0.38.21
- github.com/cometbft/cometbft/security/advisories/GHSA-c32p-wcqj-j677
Code Behaviors & Features
Detect and mitigate GHSA-c32p-wcqj-j677 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →