Time Lords and Consensus: The "Tachyon" Exploit in CometBFT

Amit Schendel

Senior Security Researcher

Jan 23, 2026·6 min read·16 visits

No Known Exploit

Executive Summary (TL;DR)

CometBFT (formerly Tendermint) failed to strictly verify that a vote's signer matched the validator set index during block construction. A malicious proposer could exploit this to perform an "identity swap"—attributing a future-dated timestamp from a low-weight validator to a high-weight one, artificially inflating the block's weighted median time. This breaks the chronological integrity of the blockchain.

A critical logic flaw in CometBFT's consensus engine allows a malicious block proposer to manipulate the chain's timestamp (BFT Time). By exploiting a disconnect between signature verification and weight attribution, attackers can skew block time forward, disrupting time-sensitive applications like vesting, unbonding, and IBC.

Official Patches

CometBFTRelease v0.37.18

CometBFTRelease v0.38.21

Fix Analysis (1)

Technical Appendix

CVSS Score

8.1/ 10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

CometBFT (all versions < 0.37.18)CometBFT (versions < 0.38.21)Cosmos SDK chains using affected CometBFT versionsTendermint-based consensus engines

Affected Versions Detail

Product	Affected Versions	Fixed Version
CometBFT CometBFT	< 0.37.18	0.37.18
CometBFT CometBFT	>= 0.38.0, < 0.38.21	0.38.21

Attribute	Detail
Attack Vector	Network (Proposer Role)
CVSS	8.1 (High)
CWE	CWE-345
Impact	Integrity & Availability (Time Manipulation)
Exploit Status	PoC / Conceptual
Patch Date	2026-01-23