Skip to content

security: Upgrade CometBFT to v0.37.18 and fix nil validator panic#339

Merged
zmanian merged 1 commit intomainfrom
security/cometbft-v0.37.18
Jan 24, 2026
Merged

security: Upgrade CometBFT to v0.37.18 and fix nil validator panic#339
zmanian merged 1 commit intomainfrom
security/cometbft-v0.37.18

Conversation

@zmanian
Copy link
Copy Markdown
Contributor

@zmanian zmanian commented Jan 23, 2026
edited by coderabbitai Bot
Loading

Summary

  • Upgrades CometBFT from v0.37.15 to v0.37.18 which contains security patches
  • Fixes potential panic when processing scheduled corks for validators that no longer exist (e.g., fully unbonded validators)

Changes

  • go.mod/go.sum: Bump github.com/cometbft/cometbft v0.37.15 → v0.37.18
  • x/cork/keeper/keeper.go: Add nil check for validator in GetApprovedScheduledCorks
  • x/axelarcork/keeper/keeper.go: Add nil check for validator in GetApprovedScheduledAxelarCorks

Test plan

  • go build ./cmd/... compiles successfully
  • go test ./x/... ./app/... -short passes

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes
    • Enhanced handling of missing validators in scheduled transaction processing. The system now properly detects and manages cases where validators have been removed or unbonded by automatically cleaning up associated pending transactions and ensuring queue consistency and data integrity.

✏️ Tip: You can customize this high-level summary in your review settings.

@zmanian @claude
security: Upgrade CometBFT to v0.37.18 and fix nil validator panic
c4f4fea 
- Updates CometBFT from v0.37.15 to v0.37.18 which contains security patches
- Fix panic when validator no longer exists during scheduled cork processing
  (e.g., fully unbonded validators)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jan 23, 2026

Walkthrough

Two keeper methods (GetApprovedScheduledCorks and GetApprovedScheduledAxelarCorks) now include nil-checks during scheduled cork iteration. When a validator no longer exists, the scheduled cork is deleted, the validator's cork count is decremented, and iteration continues. This prevents processing invalid validator entries.

Changes

Cohort / File(s) Summary
Validator existence checks in cork keeper methods
x/axelarcork/keeper/keeper.go, x/cork/keeper/keeper.go		 Added nil-check in GetApprovedScheduledCorks(Axelar) to handle deleted validators. When validator == nil, deletes the scheduled cork entry, decrements cork count, and skips further processing via continue statement. Ensures state consistency by pruning references to removed validators early.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly reflects the main changes: upgrading CometBFT for security and fixing nil validator panics, which aligns perfectly with the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@zmanian zmanian merged commit 9ff4894 into main Jan 24, 2026
1 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zmanian