fix: enforce PubKey-Address binding in LCA evidence validation (backport #2848)#2933
Merged
rootulp merged 2 commits intov0.39.x-celestiafrom Apr 17, 2026
Merged
Conversation
Fixes https://dashboard.hackenproof.com/manager/companies/celestia/celestia/reports/CELESTIA-220 ## Summary - `validateABCIEvidence` checked `Address` and `VotingPower` of byzantine validators but did not verify that `PubKey.Address()` matched the `Address` field - Since `ABCI()` derives misbehavior addresses from `PubKey.Address()` (via `TM2PB.Validator`), an attacker could submit evidence with swapped PubKeys that passes verification but redirects slash/jail/tombstone attribution to innocent validators - Add a check that `ev.ByzantineValidators[i].PubKey.Address()` equals the expected address from the node's own validator set ## Test plan - [x] `TestValidateABCIEvidenceRejectsMismatchedPubKey`: creates valid lunatic evidence, swaps PubKeys in ByzantineValidators (keeping Address/VotingPower intact), asserts `VerifyLightClientAttack` rejects it. Verified this test **fails before the fix** and **passes after**. - [x] `TestABCIEvidenceAddressDerivedFromPubKey`: confirms `ABCI()` derives addresses from `PubKey.Address()` not the `Address` field, demonstrating why the binding check is necessary. - [x] Full `evidence` package test suite passes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- devin-review-badge-begin --> --- <a href="https://app.devin.ai/review/celestiaorg/celestia-core/pull/2848" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a> <!-- devin-review-badge-end --> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> (cherry picked from commit 5fef39f)
mergify
Bot
requested review from
evan-forbes,
mcrakhman,
ninabarbakadze and
rach-id
as code owners
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Comment on lines
+1
to
+3
| - `[evidence]` Add PubKey-to-Address binding check in | ||
| `validateABCIEvidence` to prevent LightClientAttackEvidence with swapped | ||
| PubKeys from redirecting slash attribution to innocent validators. |
There was a problem hiding this comment.
🟡 Changelog filename missing required issue/PR number prefix
The changelog file is named lca-pubkey-address-binding.md but both CONTRIBUTING.md and CLAUDE.md require the format {issue-or-pr-number}-{description}.md. Virtually all other changelog entries in the repository (e.g., 2913-mempool-user-tx-latency-metric.md, 3092-consensus-timeout-ticker-data-race.md) follow this convention. For PR #2933, the file should be named 2933-lca-pubkey-address-binding.md.
Prompt for agents
Rename the changelog file from .changelog/unreleased/bug-fixes/lca-pubkey-address-binding.md to .changelog/unreleased/bug-fixes/2933-lca-pubkey-address-binding.md (or use the relevant issue number instead of the PR number). Both CONTRIBUTING.md and CLAUDE.md require the format {issue-or-pr-number}-{description}.md for changelog entries.
Was this helpful? React with 👍 or 👎 to provide feedback.
ninabarbakadze
approved these changes
Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes https://dashboard.hackenproof.com/manager/companies/celestia/celestia/reports/CELESTIA-220
Summary
validateABCIEvidencecheckedAddressandVotingPowerof byzantine validators but did not verify thatPubKey.Address()matched theAddressfieldABCI()derives misbehavior addresses fromPubKey.Address()(viaTM2PB.Validator), an attacker could submit evidence with swapped PubKeys that passes verification but redirects slash/jail/tombstone attribution to innocent validatorsev.ByzantineValidators[i].PubKey.Address()equals the expected address from the node's own validator setTest plan
TestValidateABCIEvidenceRejectsMismatchedPubKey: creates valid lunatic evidence, swaps PubKeys in ByzantineValidators (keeping Address/VotingPower intact), assertsVerifyLightClientAttackrejects it. Verified this test fails before the fix and passes after.TestABCIEvidenceAddressDerivedFromPubKey: confirmsABCI()derives addresses fromPubKey.Address()not theAddressfield, demonstrating why the binding check is necessary.evidencepackage test suite passes.🤖 Generated with Claude Code
This is an automatic backport of pull request #2848 done by [Mergify](https://mergify.com).