Beware of Byzantine Faults in CometBFT – Protect Your Blockchain Node

CVECVE-2023-34451
CVSScvssV3_1: 8.2
SourceCVE-2023-34451

CometBFT is an open source middleware used for replicating blockchain nodes. It was found to have a vulnerability that could allow duplicate transactions to get stuck in the transaction pool or “mempool”. This could happen because two internal data structures used to track transactions, a list and a map, could get out of sync.

An attacker could exploit this by repeatedly submitting the same transaction to overwhelm the mempool with duplicates. This could potentially bring down the target node by exhausting its resources. The attacker would need access to the transaction submission API of the node.

The good news is, developers have addressed this issue in recent releases. However, if you run an older version, you could be at risk. Some mitigations include increasing the mempool cache size, and restricting access to transaction submission endpoints.

It’s always wise to keep blockchain node software up-to-date to protect against known vulnerabilities. If you operate a CometBFT node, consider upgrading or applying the recommended workarounds. Staying vigilant against Byzantine faults will help maintain the integrity and resilience of your blockchain network.

References