Bluzelle Uncovers Major Tendermint Bug in Latest Blockchain Scare

Bluzelle has published details of a major bug found in Tendermint’s BFT consensus. The blockchain consensus protocol, which is used by Cosmos, was being run by Bluzelle during a validators competition for the decentralized web3 delivery network’s community. The error they identified is merely the latest glitch to have been found in blockchain architecture following a series of high profile smart contract vulnerabilities. 

Bluzelle Flushes Out a Troublesome Bug

The event was meant to have served as a testbed for Bluzelle’s network validators. In the end, it turned into an inspection of Tendermint’s codebase and the filing of a serious bug report. The issue, which rendered blocks unable to process the Tendermint consensus, caused the blockchain to come to a halt. As one of only a few projects using the latest version of Tendermint in the testnet form, the team was in uncharted waters.

Despite resetting with a new genesis and restarting the chain, the bug continued to cause crashes in the Bluzelle system, necessitating the drafting of a detailed bug report which was promptly posted to Tendermint’s GitHub. Although the issue disappeared after a subsequent network restart, it resurfaced on June 27 with the same error message: Consensus: "enterPrevote: ProposalBlock is invalid" - Error: "wrong signature.”

“Although our team’s discovery of a bug threatened to derail the entire competition just days after it began, it proved to be a valuable exercise for everyone involved,” reflected Bluzelle CEO, Pavel Bains. “A competition intended to incentivize validators to stake and participate in consensus suddenly became an impromptu bug bounty, with heads coming together to diagnose and resolve the problem.”

Blockchain Bugs Are a Persistent Problem

Errors in blockchain architecture continue to emerge on a regular basis, often with costly consequences. Last week, DeFi protocol Balancer had its pools drained of $450,000 of tokens through an exploit of deflationary tokens. It was the fifth attack to target DeFi protocols, following similar exploits against lending protocol bZx and dForce. Bancor, meanwhile, was forced to preemptively “steal” user funds after discovering a vulnerability that would have allowed an attacker to follow suit.

Bluzelle’s timely discovery of the Tendermint bug has allowed the problem to be addressed before it has a chance to be exploited or to stall a live blockchain network. With validators continuing to run and detailed logs available, Bluzelle liaised directly with their Tendermint counterparts, who were able to reproduce the problem and identify its root cause. A solution was then developed to recover a stalled chain and prevent future crashes.

During the three-week competition, Bluzelle validators also found time to complete network performance tests and to create CENSUS, a brand-new validator explorer, and an upgraded sentry security model. 1.4 million BLZ tokens have been made available to reward the community for their support, including an award of 3,000 BLZ to every validator who achieved over 51% uptime. Incentivized testnets have become popular as blockchain projects seek to identify bugs that could have major consequences if allowed to go live on the mainnet.