Summary
A critical vulnerability inherited from Tendermint was identified and patched in Heimdall. The bug could allow a malicious peer to disseminate seemingly valid, yet incorrect, block parts. This could cause Heimdall validators to accept and propagate invalid data, ultimately leading to a network stall if enough nodes are affected. This vulnerability was reported upstream (in CometBFT) as ASA-2025-002 and has been addressed through a patch in Polygon’s Tendermint fork.
Root Cause
In Heimdall, block propagation relies on breaking the proposed block into fixed-size “parts” (64 kB each), which are then gossiped through the network. Each part includes:
type Part struct {
Index uint32 `json:"index"`
Bytes cmn.HexBytes `json:"bytes"`
Proof merkle.SimpleProof `json:"proof"`
}
Each Part carries a Merkle proof:
type SimpleProof struct {
Total int64
Index int64
LeafHash []byte
Aunts [][]byte
}
This proof allows the receiving node to verify that the part belongs to the original block proposal. However, the original Tendermint v0.33.3 codebase used by Heimdall lacked a crucial validation step: it did not check whether Part.Index matched Proof.Index.
This omission allowed a malicious peer to forge a valid proof from one block part and attach it to another. Heimdall nodes would then incorrectly treat the forged part as valid, mark it as received, and refuse to request the correct one from peers — effectively stalling block propagation across the network.
Resolution and Recovery
The vulnerability was patched in Heimdall’s Tendermint fork (Peppermint v0.33.4) by modifying the ValidateBasic() function in types/part_set.go. The patched version now explicitly validates that the Part.Index equals the Proof.Index:
if int(part.Index) != part.Proof.Index {
return errors.Errorf("part index %d != proof index %d", part.Index, part.Proof.Index)
}
This ensures that block parts cannot be spoofed using unrelated proofs. The check was added alongside existing validations to preserve compatibility and safety.
This fix aligns with upstream patches in CometBFT.
These versions resolve ASA-2025-002 and other related issues. Heimdall’s fork now includes this critical fix, mitigating the threat of malicious block part propagation.
Resolution Timeline and Deployment
- March 24, 2025 – The patch was implemented and merged into Polygon’s Tendermint fork
v0.33.4. - March 24, 2025 – A new Heimdall release,
v1.2.1, including the patch, was published and deployed on Amoy testnet and Mainnet. - Validator operators were informed and provided with upgrade instructions to ensure network stability and continued propagation of valid blocks.
The vulnerability has been successfully mitigated in production through this release. All node operators are strongly encouraged to verify they are running Heimdall v1.2.1 or later.