CVE-2023-34451 in CometBFT
Summary
by MITRE • 07/03/2023
CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. The mempool maintains two data structures to keep track of outstanding transactions: a list and a map. These two data structures are supposed to be in sync all the time in the sense that the map tracks the index (if any) of the transaction in the list. In `v0.37.0`, and `v0.37.1`, as well as in `v0.34.28`, and all previous releases of the CometBFT repo2, it is possible to have them out of sync. When this happens, the list may contain several copies of the same transaction. Because the map tracks a single index, it is then no longer possible to remove all the copies of the transaction from the list. This happens even if the duplicated transaction is later committed in a block. The only way to remove the transaction is by restarting the node.
The above problem can be repeated on and on until a sizable number of transactions are stuck in the mempool, in order to try to bring down the target node. The problem is fixed in releases `v0.34.29` and `v0.37.2`. Some workarounds are available. Increasing the value of `cache_size` in `config.toml` makes it very difficult to effectively attack a full node. Not exposing the transaction submission RPC's would mitigate the probability of a successful attack, as the attacker would then have to create a modified (byzantine) full node to be able to perform the attack via p2p.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/04/2023
CometBFT represents a critical Byzantine Fault Tolerant middleware system that ensures state transition consistency across distributed nodes through replication mechanisms. The vulnerability described in CVE-2023-34451 stems from a fundamental synchronization failure within the mempool's internal data structures, specifically affecting the relationship between a transaction list and a transaction map that should maintain consistent indexing. This flaw exists in versions v0.37.0, v0.37.1, v0.34.28, and all previous releases, creating a persistent state inconsistency that can be exploited for denial-of-service attacks. The core issue manifests when the list and map data structures become desynchronized, allowing duplicate transactions to accumulate within the list while the map continues to reference only a single index position, preventing complete removal of transaction copies from memory.
The technical exploitation of this vulnerability creates a cascading memory consumption problem where duplicate transaction entries persist indefinitely within the mempool, even after successful block commitment. This occurs because the map's single-index tracking mechanism fails to account for multiple list positions occupied by identical transactions, effectively creating a memory leak scenario where transaction entries multiply without proper cleanup. The vulnerability operates at the application layer and affects the consensus mechanism's integrity, as the mempool's failure to properly manage transaction lifecycle directly impacts node stability and network performance. The flaw aligns with CWE-691, which addresses inadequate synchronization of data structures, and represents a classic example of resource management failure in distributed systems. Attackers can repeatedly trigger this condition to accumulate large numbers of stale transaction entries, ultimately exhausting available memory resources and rendering nodes unresponsive.
The operational impact of CVE-2023-34451 extends beyond simple resource exhaustion, as it fundamentally undermines the reliability of CometBFT nodes within distributed networks. Nodes affected by this vulnerability become increasingly unstable over time, with transaction processing capabilities degrading until complete system failure occurs. The only remediation requires complete node restart, creating operational disruptions that can affect network consensus and availability. This vulnerability particularly impacts network participants who rely on full nodes for transaction processing and validation, as attackers can systematically degrade service availability without requiring sophisticated network-level attacks. The issue affects the broader blockchain ecosystem by potentially creating network partitions or consensus failures when multiple nodes become compromised through this memory management flaw, making it a critical concern for network operators and security architects.
Mitigation strategies for CVE-2023-34451 focus on both immediate operational responses and long-term architectural improvements. The most effective solution involves upgrading to patched versions v0.34.29 and v0.37.2, which address the core synchronization issue within the mempool's transaction management system. Organizations can implement temporary workarounds such as increasing the `cache_size` parameter in `config.toml` to significantly reduce attack surface by making duplicate transaction accumulation more difficult. Network-level protections include restricting exposure of transaction submission RPC endpoints, which prevents external attackers from directly submitting transactions to trigger the vulnerability. The ATT&CK framework categorizes this vulnerability under T1499.004, which addresses network denial of service through resource exhaustion, and represents a specific implementation weakness that could be classified as a persistent memory corruption issue. Additional defensive measures include implementing transaction rate limiting, monitoring mempool size thresholds, and deploying automated restart mechanisms for affected nodes to minimize service disruption. The vulnerability demonstrates the critical importance of proper data structure synchronization in distributed consensus protocols, where seemingly minor implementation flaws can have catastrophic network-wide consequences.