Security researcher Doyeon Park revealed a critical flaw in CometBFT, a core component of Cosmos chains that secure around $8 billion in value. This discovery highlights a lack of clear communication practices regarding vulnerabilities in fundamental cryptocurrency infrastructure.
Summary
- Security researcher Doyeon Park disclosed a CVSS 7.1 zero‑day in Cosmos’ CometBFT consensus layer.
- The flaw can stall nodes during block synchronization across chains securing more than $8 billion in assets.
- Park said asset theft is not possible, but went public after failed coordinated disclosure with the vendor.
Security researcher Doyeon Park has revealed a serious flaw in Cosmos’ core technology, called CometBFT. This previously unknown vulnerability could cause slowdowns or disruptions in Cosmos-based blockchains, which collectively hold over $8 billion in cryptocurrency. The flaw, considered highly critical, also brings up concerns about how security issues are shared and addressed in important blockchain systems.
As a security analyst, I’m reporting a critical, previously unknown vulnerability – a ‘0-day’ – within the core consensus layer of Cosmos, specifically CometBFT. I’ve assessed this as a high-severity issue with a CVSS score of 7.1. Essentially, it can cause nodes within the Cosmos network – a network securing over $8 billion in digital assets – to freeze up while they’re trying to get up-to-date with the blockchain. Importantly, while disruptive, this vulnerability doesn’t appear to allow for direct theft of funds…
— Doyeon Park (@p6rkdoye0n) April 21, 2026
Researcher escalates after failed disclosure talks
Park explained in a post on X that while the problem doesn’t involve direct theft of funds, pausing or slowing down transaction processing on several blockchains still poses a significant risk to those who operate them (validators), as well as apps and users. The researcher said they only made the vulnerability public after failing to get a response from the software provider through normal channels, citing a ‘lack of cooperation’.
Consensus stability under scrutiny
CometBFT is used to secure many blockchains built with the Cosmos SDK, so if it experiences problems syncing new blocks, the impact can spread throughout the entire Cosmos ecosystem. This can disrupt things like transfers between chains (IBC) and decentralized finance (DeFi) applications running on those affected networks. Even if user funds aren’t directly threatened, prolonged issues with nodes can lead to urgent governance votes, debates about penalizing validators, and problems with accessing funds, particularly on chains that are vital for routing transactions or host major stablecoins.
Park’s choice to publicly discuss the issue underscores the challenge of balancing openness in software development with the necessity of fixing serious flaws privately in systems that manage billions of dollars in assets. For those involved with Cosmos, this event will likely increase pressure for established security procedures and clearer rules about how quickly vulnerabilities in the core technology should be revealed.
Read More
- Adam Levine Looks So Different After Shaving His Beard Off
- Trails in the Sky 2nd Chapter launches September 17
- After AI Controversy, Major Crunchyroll Anime Unveils Exciting Update
- PRAGMATA ‘Eight’ trailer
- Hulu Just Added One of the Most Quotable Movies Ever Made (But It’s Sequel Is Impossible To Stream)
- Dragon Quest Smash/Grow launches April 21
- Xbox Game Pass Users “Blown Away” by New Exclusive Game
- How Could We Forget About SOL Shogunate, the PS5 Action RPG About Samurai on the Moon?
- Dialoop coming to Switch on June 17
- Why is Tech Jacket gender-swapped in Invincible season 4 and who voices her?
2026-04-21 16:33