PANews reported on April 22 that security researcher Doyeon Park disclosed a high-risk zero-day vulnerability (CVSS 7.1) in the Cosmos consensus layer CometBFT, which could cause nodes to freeze during block synchronization, affecting a network protecting over $8 billion in assets. This vulnerability does not allow for direct asset theft. Park stated that his attempts to coordinate vulnerability disclosure were unsuccessful due to the vendor's lack of cooperation and refusal to publicly report, leading him to ultimately decide to disclose the vulnerability publicly. The vendor had previously downgraded a similar vulnerability (CVE-2025-24371) to an "informative" level, disregarding international standards.

The timeline shows: Park submitted its first report on February 22nd, which the vendor requested as a public GitHub issue but refused to disclose publicly; the second report was marked as spam by HackerOne on March 4th; on March 6th, the vendor arbitrarily downgraded the CVE level, and Park submitted a network-level PoC to refute it; the report was finally disclosed publicly on April 21st. Park recommends that Cosmos validators avoid restarting nodes as much as possible before the patch is released. Nodes already in consensus mode can continue to run, but restarting them to enter the synchronization process may lead to deadlocks due to attacks from malicious peer nodes.