Missing Validation of Priorities in Validateset in Header and Many Other Known Issues in Cometbft are Unsolved

[Hellobloc]

The header hash was generated with a missing hash of the validateset's priorities information. A malicious user could modify the priorities without causing a state hash validation error. Remarkably this is a known issue in Cometbft that breaks the state hash validation for priorities.

gno/tm2/pkg/bft/types/validator_set.go

Lines 309 to 318 in 05cd4f5

	func (vals *ValidatorSet) Hash() []byte {
	if len(vals.Validators) == 0 {
	return nil
	}
	bzs := make([][]byte, len(vals.Validators))
	for i, val := range vals.Validators {
	bzs[i] = val.Bytes()
	}
	return merkle.SimpleHashFromByteSlices(bzs)
	}

/types/validator.go
type Validator struct {
	Address     Address       `json:"address"`
	PubKey      crypto.PubKey `json:"pub_key"`
	VotingPower int64         `json:"voting_power"`

	ProposerPriority int64 `json:"proposer_priority"`
}
...
types/validator_set.go
func (vals *ValidatorSet) Hash() []byte {
	bzs := make([][]byte, len(vals.Validators))
	for i, val := range vals.Validators {
		bzs[i] = val.Bytes()
	}
	return merkle.HashFromByteSlices(bzs)
}
...
/types/validator.go
func (v *Validator) Bytes() []byte {
	pk, err := ce.PubKeyToProto(v.PubKey)
	if err != nil {
		panic(err)
	}

	pbv := cmtproto.SimpleValidator{
		PubKey:      &pk,
		VotingPower: v.VotingPower,
	}//missing ProposerPriority

	bz, err := pbv.Marshal()
	if err != nil {
		panic(err)
	}
	return bz
}

This project implemented its own consensus protocol using cometbft's fork project, but many of the flaws that were fixed in cometbft were not fixed by that project, and this issue is one of them.
More information is shown below：
Other Unsolved issues' Fix PR and Commits:
cometbft/cometbft#3984
cometbft/cometbft#3369
cometbft/cometbft@d766d20
cometbft/cometbft#890
cometbft/cometbft#865

[thehowl]

cc @zivkovicmilos