{"id":26513,"date":"2026-04-21T16:07:48","date_gmt":"2026-04-21T16:07:48","guid":{"rendered":"https:\/\/bitunikey.com\/news\/cosmos-researcher-drops-high-severity-cometbft-zero-day-securing-over-8b\/"},"modified":"2026-04-21T16:07:58","modified_gmt":"2026-04-21T16:07:58","slug":"cosmos-researcher-drops-high-severity-cometbft-zero-day-securing-over-8b","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/cosmos-researcher-drops-high-severity-cometbft-zero-day-securing-over-8b\/","title":{"rendered":"Cosmos researcher drops high\u2011severity CometBFT zero\u2011day securing over $8B"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p class=\"is-style-lead\">Researcher Doyeon Park drops a high\u2011severity CometBFT zero\u2011day that can stall Cosmos chains securing $8B, spotlighting disclosure gaps in core crypto infrastructure.<\/p>\n<div id=\"cn-block-summary-block_6cbb6026f24e330ca810533be20ca6a4\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Security researcher Doyeon Park disclosed a CVSS 7.1 zero\u2011day in Cosmos\u2019 CometBFT consensus layer.<\/li>\n<li>The flaw can stall nodes during block synchronization across chains securing more than $8 billion in assets.<\/li>\n<li>Park said asset theft is not possible, but went public after failed coordinated disclosure with the vendor.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>A critical zero\u2011day vulnerability in Cosmos\u2019 CometBFT consensus layer has been publicly disclosed by security researcher Doyeon Park, raising fresh questions over coordinated disclosure practices in core blockchain infrastructure. Park said the bug, rated CVSS 7.1 (High), can cause nodes across Cosmos\u2011based chains to stall during the block synchronization phase, potentially disrupting networks that together secure more than $8 billion in on\u2011chain value.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">I\u2019m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT).<\/p>\n<p>This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem\u2014which secures over $8B+ in assets\u2014to stall during the block synchronization phase. However, direct asset theft is\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/89XeHmvjBK\">pic.twitter.com\/89XeHmvjBK<\/a><\/p>\n<p>\u2014 Doyeon Park (@p6rkdoye0n) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/p6rkdoye0n\/status\/2046563261014012215?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">April 21, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\"><strong>Researcher escalates after failed disclosure talks<\/strong><\/h2>\n<p>In a post on X, Park wrote that the issue does not allow \u201cdirect asset theft,\u201d but warned that halting or delaying block production across multiple chains remains a serious operational and economic risk for validators, applications, and users. The researcher added that they chose to disclose the exploit publicly only after attempts to resolve the issue through standard coordinated vulnerability disclosure channels broke down due to a \u201clack of cooperation\u201d from the vendor.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<h1 class=\"wp-block-heading\" id=\"consensus-stability-under-scrutiny\">Consensus stability under scrutiny<\/h1>\n<p>Because CometBFT underpins consensus for many Cosmos\u2011SDK\u2011based chains, a stall during block sync can ripple through the broader ecosystem, affecting everything from IBC transfers to DeFi protocols built on top of affected networks. Even without funds at immediate risk, sustained node stalls can trigger governance emergencies, slashing debates, and liquidity disruptions, especially on chains that serve as core routing hubs or host dollar\u2011denominated stablecoins.<\/p>\n<p>Park\u2019s decision to go public highlights the tension between open\u2011source transparency and the need to quietly patch critical bugs in systems that now secure multi\u2011billion\u2011dollar asset pools.<br \/>For Cosmos stakeholders, the incident is likely to accelerate calls for more formalized security response processes and clearer expectations around disclosure timelines for consensus\u2011layer vulnerabilities.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researcher Doyeon Park drops a high\u2011severity CometBFT zero\u2011day that can stall Cosmos chains securing $8B, spotlighting disclosure gaps in core crypto infrastructure. Summary Security researcher Doyeon Park disclosed a CVSS&hellip;<\/p>\n","protected":false},"author":1,"featured_media":9547,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-26513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/26513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=26513"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/26513\/revisions"}],"predecessor-version":[{"id":26514,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/26513\/revisions\/26514"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/9547"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=26513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=26513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=26513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}