Advisories for Golang/Github.com/Cometbft/Cometbft/Light package

2024

CometBFT's state syncing validator from malicious node may lead to a chain split

The state sync protocol retrieves a snapshot of the application and installs it in a fresh node. In order for this node to be ready to run consensus and block sync from the installed snapshot height, we also need to install a valid State in the node, which is the starting state from which it is able to validate new blocks and append them to the blockchain. The State object …