Security researcher Doyeon Park discovered a serious zero-day vulnerability in CometBFT, the consensus layer of the Cosmos ecosystem, and publicly shared it via the X platform. This vulnerability, with a CVSS score of 7.1, is categorized as "high risk." While it doesn't directly lead to fund theft, it can cause nodes on the Cosmos network to lock up during block synchronization. This vulnerability threatens an ecosystem that currently protects over $8 billion in assets.
Park's reason for publicly disclosing this vulnerability appears to be more of a procedural crisis than a purely technical finding. The researcher states that she followed the widely accepted Coordinated Vulnerability Disclosure (CVD) process for responsible disclosure, but did not encounter sufficient cooperation and responsible decision-making mechanisms from the vendor. After the vendor announced its final decision, Park chose transparency rather than remaining silent. According to Cosmos Labs' security policy, publicly disclosing vulnerabilities affecting the ecosystem via GitHub, blog posts, or social media is prohibited. The vulnerability is considered off-limits until Cosmos Labs fixes the issue and officially confirms the disclosure.
What is CometBFT, and why is it so critical?
Cosmos's core layer is built on the CometBFT (formerly Tendermint) consensus engine, which is based on the Byzantine Fault Tolerant protocol and developed in Go. From a technical standpoint, strict determinism is an indispensable foundation in BFT systems like CometBFT. This is because each correct validator must calculate identical state transition results when given the same input; any deviation can lead to consensus failure.
In a similar vulnerability (ASA-2025-003) that surfaced last October, it was found that CometBFT performed insufficient validation in processing BitArray messages; in the worst-case scenario, it was revealed that the nodes in the network could bring not only the node receiving the malicious message but the entire network to a standstill. The fact that the vulnerability Park has now disclosed operates through similar mechanisms has raised concerns about CometBFT's consensus infrastructure.
Cosmos: "The Internet of Blockchains"
Cosmos is a project described by its founders as the "internet of blockchains"; its aim is to create a network of interconnected crypto networks with open-source tools that facilitate transactions between them. As of today, more than 200 chains are using the Cosmos infrastructure in a live environment.
The ecosystem is noteworthy for its institutional appetite as well as its technical infrastructure. Teams such as Ripple, Ondo, Figure, and Stable have carried out large-scale deployments on Cosmos in 2025; these deployments have extended to banking, finance, government, and corporate blockchain areas. Cosmos Labs' vision is to transform CometBFT and IBC into global financial railways and to make Cosmos chains the cornerstone of payment infrastructure through tokenization.
However, parallel to this ambitious roadmap, security issues remain on the agenda. Modular design means that application chains inherit risks arising from shared components (SDK, CometBFT, IBC-Go, CosmWasm VM); A vulnerability in a widely used standard module or underlying protocol can affect many independent chains simultaneously. At the time of writing, ATOM, the coin of the Cosmos ecosystem, is trading at $1.80.
