Listen to this Post
How the CVE Works:
The vulnerability in Tendermint-rs (v0.40.2 and below) allows a malicious validator to spoof votes from other validators due to insufficient address verification. The light client fails to validate whether a validator’s address correctly corresponds to their public key when aggregating votes. Attackers can craft a fraudulent block by injecting falsified validator signatures, tricking the light client into accepting it as legitimate with a fake 2/3+ majority. This undermines consensus integrity, enabling chain manipulation without proper validator approval.
DailyCVE Form:
Platform: Tendermint-rs
Version: <= v0.40.2
Vulnerability: Validator spoofing
Severity: Critical
Date: March 12, 2025
What Undercode Say:
Analytics:
- Impact: Full consensus bypass possible.
- Exploit Complexity: Moderate (requires validator access).
- Patch Adoption: Urgent upgrade recommended.
Exploit (PoC Snippet):
// Malicious vote injection let fake_vote = Vote::new( block_id, height, round, stolen_pub_key, forged_signature ); light_client.verify_vote(fake_vote); // Bypasses address check
Protection Commands:
1. Upgrade:
cargo update tendermint-rs --version 0.40.3
2. Manual Patch (if upgrade delayed):
// Enforce address/pubkey match in vote validation
fn validate_vote(vote: Vote) -> bool {
vote.validator_address == derive_address(vote.pub_key)
}
3. Monitoring:
grep -r "verify_vote" /tendermint-rs/src/ Audit codebase for vulnerable calls
Detection Script (Python):
def detect_spoofed_votes(block):
for vote in block.votes:
if vote.address != pubkey_to_address(vote.pubkey):
alert("CVE-2025-003 EXPLOIT DETECTED")
Mitigation Steps:
- Revoke compromised validator keys.
- Enable strict signature verification in config:
[bash] strict_mode = true
- Monitor for abnormal block finalization rates.
References:
- Tendermint-rs GHSA-xxxx-xxxx-xxxx
- ACMv1.2 Impact Scoring
- Asymmetric Research Advisory
References:
Reported By: https://github.com/advisories/GHSA-6jrf-4jv4-r9mw
Extra Source Hub:
Undercode
