오잉

Detailed analysis of the vulnerability and records of the vendor’s response can be found in the GitHub issue below. github.com/cometbft/comet… Please share this thread widely to help promote a safer security culture in the Cosmos ecosystem going forward. @cosmos @cometbft @informalinc @interchain_io

The purpose of this disclosure is to protect the ecosystem, not to harm it. Therefore, with consideration for ecosystem safety, I will disclose only the technical details of the vulnerability and video evidence, and will not release the fully exploitable attack code (full PoC).

Timeline 2026-02-22: Submitted the first report 2026-02-23: Summary of the Cosmos team’s response: the attack is not feasible; however, since the bug still has impact, they instructed me to report it via a public GitHub issue (while refusing public disclosure of the report) 2026-03-04: Submitted the second report 2026-03-04: The second report was marked as spam 2026-03-05: I requested assistance from the SEAL 911 team; after reviewing the case, they contacted the Cosmos team directly 2026-03-05: Summary of the Cosmos team’s response: repeated the same position without providing additional technical explanation 2026-03-06: Arbitrarily downgraded the severity of CVE-2025-24371 (cve.org/CVERecord?id=C…), disregarding international standards (see github.com/cometbft/comet…) 2026-03-06: I shared a network-level PoC to refute the Cosmos team’s claim that the attack is not feasible 2026-03-10: Despite the second report being marked as spam, I trusted that a review would be conducted and shared a network-level PoC 2026-04-14: After more than a month without any further response, I announced my intention to disclose the issue in accordance with the Cosmos team’s final decision 2026-04-21: Public disclosure of the vulnerability from the first report

Background of Disclosure Following my vulnerability report, the vendor instructed me to post it as a public GitHub issue, stating that the attack was not feasible but that the bug still had impact. I requested public disclosure of the report, but this was denied. I subsequently submitted a network-level PoC that fully refuted the claim of infeasibility; however, no further response was provided. After my report, the vendor independently reclassified a prior 1-day vulnerability with the same impact—CVE-2025-24371—as Informational (Negligible Impact, Possible Likelihood), disregarding internationally recognized standards set by MITRE (CVE) and FIRST (CVSS) (see github.com/cometbft/comet…). This appears to be an inappropriate attempt to downplay the severity of the issue and avoid providing proper recognition or reward for the report. In addition, I reported a more severe vulnerability through HackerOne, but it was marked as spam without any technical review. This does not appear to be an isolated case—other security researchers participating in the Cosmos bug bounty program have reported experiencing similar treatment. (see github.com/cometbft/comet…) Therefore, in the interest of transparency and the safety of the ecosystem, I have decided to disclose this issue in accordance with the Cosmos team’s final decision. (Further details regarding the background of this disclosure are provided in the GitHub issue linked in my final thread.)

Cosmos Validator Survival Guide First, following the disclosure of this vulnerability, I would like to provide a validator survival guide for the Cosmos ecosystem. Until a patch for the disclosed vulnerability is released, validator operators in the Cosmos ecosystem are strongly advised to avoid restarting their nodes whenever possible. This vulnerability is triggered during the block synchronization phase. Nodes that are already in consensus mode may continue to operate normally; however, if they are restarted and enter the block sync process, exposure to a malicious peer can lead to a deadlock, making it impossible for the node to rejoin the network.

I’m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT). This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem—which secures over $8B+ in assets—to stall during the block synchronization phase. However, direct asset theft is not possible using this vulnerability. I made every effort to follow Coordinated Vulnerability Disclosure (CVD) for the safety of the ecosystem; however, due to the vendor’s lack of cooperation and irresponsible decisions, I have decided to proceed with disclosure. This action is taken in accordance with the vendor’s final decision. All resulting security risks are solely the responsibility of the vendor, and I will therefore disclose both the vendor’s irresponsible handling and the detailed vulnerability information in this thread.

<Reentrancy Attack(재진입 공격) 유형 분석> 작성자 : 김지은 (@oing8679) , 이수빈 재진입 공격의 유형에 대해 다루며, 해당 공격들을 직접 예시와 함께 보여주는 글입니다. 많은 관심 부탁드립니다! 아티클 전문: bit.ly/40yjbGP

<Qubit 해킹 사고 분석> 작성자 : 김지은 (@oing8679) 트랜잭션 로그 정보를 이용하여 발생한 브릿지 해킹 사고인 큐빗 보안 사고를 분석한 글입니다. 많은 관심 부탁드립니다! 아티클 전문 : bit.ly/3PsvZYT

[Week 4 Common Session]. The head of Blockchain Valley's security team(@p6rkdoye0n) and the head of the research team(@oing8679) talked about Web3 security auditing and shared how the H4C team member(@13u9_kyeong) got started in security and the direction of their research.

아비트럼 코리아🤝블록체인밸리: 오픈세션 📅11월 22일 (금) 오후 7시~ 📌고려대학교 CJ Creator Library 아비트럼 앰배서더 프로그램의 중심에 있는 @blockchainkor, @DeSpreadTeam, @WelldoneStudio_와 함께 진행하는 오픈세션!

고려대학교 블록체인 밸리에서는 @BlobCourse와의 파트너십을 통해 학회원들에게 웹3 올인원 120강을 온보딩 강의로 제공하게 되었습니다. 이번 협력을 통해 학회원들이 블록체인과 웹3 기술을 이해하고, 이를 바탕으로 다양한 블록체인 프로젝트에 참여할 수 있는 역량을 쌓을 수 있기를 기대합니다.

[Blockchain Valley OT/MT] The OT led by @geunkey2243, the president, covered the society’s activities, past achievements, and future directions. Afterwards, we had a MT where many members of the society up to the 6th term gathered to get to know each other and have fun memories.

[Week 1 Common Session] In the first session, we introduced each team and shared the curriculum, with team leaders outlining their goals and plans for the semester. A senior member, a Blockchain Valley founder who runs Generativelabs, shared insights on GPT-based services.

[Week 2 Common Session] GOPAX (@GOPAX_kr)shared their crypto and Web3 business insights and made the session easy to understand regarding AML, compliance, and recent regulations!

[Week 3 Common Session] Part 1 discussed how he used Web3 and the importance of dApps. In Part 2, @tigerant_btc analyzed research cases and shared tips. Xangle(@Xangle_Official) provides on-chain data solutions to Org in a Web3 environment to help them grow their business.

@flock_io is paving the way for deAI by providing the 1st decentralized AI arena. Excited to work with a team with a deep technical background. Through cohosting workshops and research, we will further our understanding and contribute to the development of deAI.

In my career I’ve spoken in front of thousands of ppl and in front of 10-20 ppl. my fav events were often the smallest ones. Last night I had the honor of discussing next gen IP with Korea’s next gen leaders. Had a blast at @blockchainkor’s Story meetup at Korea Univ 🔥 🙇

Blockchain Valley welcomes Devrelius @devrelius from Story Protocol, thank you for joining us! @StoryProtocol Story Protocol is a blockchain-based open protocol that enables creators to retain full ownership of their IP and effectively manage and utilize it.