Tendermint Core Security Advisory Alderfly

Recently, a high-severity security vulnerability that impacts the Tendermint light client was reported to the Tendermint bug bounty program. A patch for the issue, which includes no breaking changes, will be released in version 0.34.9 of Tendermint Core, in version 0.42.4 of the Cosmos SDK, and in version 4.2.1 of Gaia on April 8 at 16:00 UTC.

The Tendermint Core team encourages all validators and service providers on Tendermint-powered networks to prepare to update their software to the latest, most secure version as quickly as possible after this update becomes available.

This notice has been posted in accordance with our vulnerability disclosure policy. For future security alerts for Tendermint Core, you can also subscribe to our dedicated security mailing list.


We’ve had a couple hiccups getting the Tendermint Core release out, but we’re back on track and should have new versions of Tendermint Core, the Cosmos SDK, and Gaia soon. Thanks for bearing with us and apologies for the delay.

The patches that resolve the issues comprising Security Advisory Alderfly have been released in v0.34.9 of Tendermint Core, in v0.42.4 of the Cosmos SDK, and in version 4.2.1 of Gaia. All releases are now available to the public. The Cosmos SDK and Gaia releases were delayed by 24 hours, but future security updates will be released on a tightened timeline.

Full details of the patches that comprise this release should be available by Thursday, April 15.

You can find source code and binaries available on the respective release pages:

1 Like

Details of the patches that comprise Security Advisory Alderfly are now available at Security Advisory Alderfly · Advisory · tendermint/tendermint · GitHub.