- Web3 delivery network Bluzelle has revealed details of a critical bug it discovered in Tendermint, the BFT consensus that’s used by Cosmos.
- The error came to light during a validators competition that Bluzelle was running on its testnet.
Web3 delivery network Bluzelle has revealed details of a critical bug it discovered in Tendermint, the BFT consensus that’s used by Cosmos. The error came to light during a validators competition that Bluzelle was running on its testnet. Despite restarting the blockchain with a new genesis, the bug, which rendered blocks incapable of accepting Tendermint’s consensus, resurfaced. As a result, the Bluzelle team was forced to submit a detailed bug report to Tendermint complete with forensic logs that showed how the error manifested.
News of the Tendermint bug comes days after Balancer’s protocol was exploited using a smart contract vulnerability that resulted in $450,000 of tokens being drained. With more than $1.6 billion locked into defi protocols, the incentive for attackers to exploit complex smart contracts governing oracles and liquidity pools has never been greater.
Bluzelle Spares Tendermint’s Blushes
Sometimes vulnerabilities are discovered by the “good guys,” as was the case when Bancor drained user funds from its smart contract after discovering a vuln to save them from being hacked. At other times, the exploit is found by a black hat who uses it to exfiltrate hundreds of thousands of dollars. Tendermint will have been relieved that the vulnerability in its BFT consensus was discovered on Bluzelle’s testnet, and not in a live setting when the ramifications would have been significant.
Many blockchain projects offer bug bounties in a bid to incentivize hackers to act ethically and disclose their findings. After discovering the fatal flaw in Tendermint’s consensus, Bluzelle acted honorably and filed a bug disclosure report. As a result, the Tendermint team was able to act promptly, replicating the error and then acting to remedy it.
Testnets are commonly used by blockchain projects, providing a means for users to familiarize themselves with processes such as staking and serving as validators. They also provide a more critical role, though, by highlighting bugs that can then be eradicated before the network goes live.
Making the Case for Incentivized Testnets
Bluzelle’s discovery of a bug in Tendermint has bolstered the case for incentivized testnets. Numerous blockchain projects have offered rewards to testnet participants as a means of maximizing engagement and ensuring the network is thoroughly tested at scale. Having more eyes on the protocol also increases the likelihood of bugs being spotted.
Reflecting on Bluzelle’s testnet event, CEO Pavel Bains said: “A competition intended to incentivize validators to stake and participate in consensus suddenly became an impromptu bug bounty … I am proud that the team were able to uncover and identify this critical bug, as it will undoubtedly lead to important refinements from Cosmos and Tendermint and prevent this error from being replicated in a live environment.”
In total, 1.4 million BLZ tokens will be rewarded to Bluzelle validators for their participation in the testnet. Other projects to have recently rolled out incentivized testnets include Matic and Elrond. The latter posted $30,000 in ERD to drive participation in its “Battle of Nodes: Onchained” event.