Missing validation of priorities in validateset in Header and Many Other Known Security Issues are Unsolved

Question

Missing validation of priorities in validateset in Header and Many Other Known Security Issues are Unsolved

Opened this issue 3 months ago · 2 comments

The header hash was generated with a missing hash of the validateset's priorities information. A malicious user could modify the priorities without causing a state hash validation error. Remarkably this is a known issue in Cometbft that breaks the state hash validation for priorities.
https://github.com/sei-protocol/sei-tendermint/blob/main/types/validator_set.go#L344-L350

/types/validator.go
type Validator struct {
	Address     Address       `json:"address"`
	PubKey      crypto.PubKey `json:"pub_key"`
	VotingPower int64         `json:"voting_power"`

	ProposerPriority int64 `json:"proposer_priority"`
}
...
types/validator_set.go
func (vals *ValidatorSet) Hash() []byte {
	bzs := make([][]byte, len(vals.Validators))
	for i, val := range vals.Validators {
		bzs[i] = val.Bytes()
	}
	return merkle.HashFromByteSlices(bzs)
}
...
/types/validator.go
func (v *Validator) Bytes() []byte {
	pk, err := ce.PubKeyToProto(v.PubKey)
	if err != nil {
		panic(err)
	}

	pbv := cmtproto.SimpleValidator{
		PubKey:      &pk,
		VotingPower: v.VotingPower,
	}

	bz, err := pbv.Marshal()
	if err != nil {
		panic(err)
	}
	return bz
}

Sei-tendermint implemented its own consensus protocol using cometbft's fork project, but many of the flaws that were fixed in cometbft were not fixed by that project, and this issue is one of them.
More information is shown below：
Other Unsolved issues' Fix PR and Commits:
cometbft/cometbft#3984
cometbft/cometbft#3369
cometbft/cometbft@d766d20
cometbft/cometbft#890
cometbft/cometbft#865

Answer 1 · 2024-10-18T09:39:10.000Z

@jewei1997 @yzang2019 @codchen

Answer 2 · 2024-10-21T15:17:18.000Z

@blindchaser