Researcher Doyeon Park drops a high‑severity CometBFT zero‑day that can stall Cosmos chains securing $8B, spotlighting disclosure gaps in core crypto infrastructure.
Summary
- Security researcher Doyeon Park disclosed a CVSS 7.1 zero‑day in Cosmos’ CometBFT consensus layer.
- The flaw can stall nodes during block synchronization across chains securing more than $8 billion in assets.
- Park said asset theft is not possible, but went public after failed coordinated disclosure with the vendor.
A critical zero‑day vulnerability in Cosmos’ CometBFT consensus layer has been publicly disclosed by security researcher Doyeon Park, raising fresh questions over coordinated disclosure practices in core blockchain infrastructure. Park said the bug, rated CVSS 7.1 (High), can cause nodes across Cosmos‑based chains to stall during the block synchronization phase, potentially disrupting networks that together secure more than $8 billion in on‑chain value.
Researcher escalates after failed disclosure talks
In a post on X, Park wrote that the issue does not allow “direct asset theft,” but warned that halting or delaying block production across multiple chains remains a serious operational and economic risk for validators, applications, and users. The researcher added that they chose to disclose the exploit publicly only after attempts to resolve the issue through standard coordinated vulnerability disclosure channels broke down due to a “lack of cooperation” from the vendor.
Because CometBFT underpins consensus for many Cosmos‑SDK‑based chains, a stall during block sync can ripple through the broader ecosystem, affecting everything from IBC transfers to DeFi protocols built on top of affected networks. Even without funds at immediate risk, sustained node stalls can trigger governance emergencies, slashing debates, and liquidity disruptions, especially on chains that serve as core routing hubs or host dollar‑denominated stablecoins.
Park’s decision to go public highlights the tension between open‑source transparency and the need to quietly patch critical bugs in systems that now secure multi‑billion‑dollar asset pools.
For Cosmos stakeholders, the incident is likely to accelerate calls for more formalized security response processes and clearer expectations around disclosure timelines for consensus‑layer vulnerabilities.
