Security News
Scaling Socket from Zero to 10,000+ Organizations
Socket CEO Feross Aboukhadijeh shares lessons from scaling a developer security startup to 10,000+ organizations in this founder interview.
By Sarah Gooding - Dec 02, 2025
🚨 Shai-Hulud Strikes Again:834 Packages Compromised.Technical Analysis →
- Version
- v0.38.0-alpha.1.0.20241106081635-f702b8b3f890
- Version published
- Created
CometBFT
Byzantine-Fault Tolerant State Machine Replication. Or Blockchain, for short.
| Branch | Tests | Linting |
|---|---|---|
| main |  |  |
| v0.38.x |  |  |
| v0.37.x |  |  |
| v0.34.x |  |  |
CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines.
It is a fork of Tendermint Core and implements the Tendermint consensus algorithm.
For protocol details, refer to the CometBFT Specification.
For detailed analysis of the consensus protocol, including safety and liveness proofs, read our paper, "The latest gossip on BFT consensus".
Documentation
Complete documentation can be found on the website.
Releases
Please do not depend on main as your production branch. Use
releases instead.
If you intend to run CometBFT in production, we're happy to help. To contact us, in order of preference:
- Create a new discussion on GitHub
- Reach out to us via Telegram
- Join the Cosmos Network Discord and
discuss in
#cometbft
More on how releases are conducted can be found here.
Security
To report a security vulnerability, see our bug bounty program. For examples of the kinds of bugs we're looking for, see our security policy.
Minimum requirements
| CometBFT version | Requirement | Notes |
|---|---|---|
| main | Go version | Go 1.22 or higher |
| v0.38.x | Go version | Go 1.22 or higher |
| v0.37.x | Go version | Go 1.22 or higher |
| v0.34.x | Go version | Go 1.12 or higher |
Install
See the install guide.
Quick Start
Contributing
Please abide by the Code of Conduct in all interactions.
Before contributing to the project, please take a look at the contributing guidelines and the style guide. You may also find it helpful to read the specifications, and familiarize yourself with our Architectural Decision Records (ADRs) and Request For Comments (RFCs).
Versioning
Semantic Versioning
CometBFT uses Semantic Versioning to determine when and how the version changes. According to SemVer, anything in the public API can change at any time before version 1.0.0
To provide some stability to users of 0.X.X versions of CometBFT, the MINOR version is used to signal breaking changes across CometBFT's API. This API includes all publicly exposed types, functions, and methods in non-internal Go packages as well as the types and methods accessible via the CometBFT RPC interface.
Breaking changes to these public APIs will be documented in the CHANGELOG.
Upgrades
In an effort to avoid accumulating technical debt prior to 1.0.0, we do not guarantee that breaking changes (i.e. bumps in the MINOR version) will work with existing CometBFT blockchains. In these cases you will have to start a new blockchain, or write something custom to get the old data into the new chain. However, any bump in the PATCH version should be compatible with existing blockchain histories.
For more information on upgrading, see UPGRADING.md.
Supported Versions
Because we are a small core team, we have limited capacity to ship patch updates, including security updates. Consequently, we strongly recommend keeping CometBFT up-to-date. Upgrading instructions can be found in UPGRADING.md.
Currently supported versions include:
- v0.38.x: CometBFT v0.38 introduces ABCI 2.0, which implements the entirety of ABCI++
- v0.37.x: CometBFT v0.37 introduces ABCI 1.0, which is the first major step towards the full ABCI++ implementation in ABCI 2.0
- v0.34.x: The CometBFT v0.34 series is compatible with the Tendermint Core v0.34 series
Resources
Libraries
- Cosmos SDK; A framework for building applications in Golang
- Tendermint in Rust
- ABCI Tower
Applications
Research
Below are links to the original Tendermint consensus algorithm and relevant whitepapers which CometBFT will continue to build on.
- The latest gossip on BFT consensus
- Master's Thesis on Tendermint
- Original Whitepaper: "Tendermint: Consensus Without Mining"
Join us
CometBFT is currently maintained by Informal Systems. If you'd like to work full-time on CometBFT, we're hiring!
Funding for CometBFT development comes primarily from the Interchain Foundation, a Swiss non-profit. Informal Systems also maintains cometbft.com.
FAQs
Unknown package
Package last updated on 06 Nov 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks
Socket Threat Research maps a rare inside look at OtterCookie’s npm-Vercel-GitHub chain, adding 197 malicious packages and evidence of North Korean operators.
By Kirill Boychenko - Nov 26, 2025
Research
Malicious Chrome Extension Injects Hidden SOL Fees Into Solana Swaps
Socket researchers identified a malicious Chrome extension that manipulates Raydium swaps to inject an undisclosed SOL transfer, quietly routing fees to an attacker wallet.
By Kush Pandya - Nov 25, 2025