From 49948f02f6463db78a82176764412b392e73d370 Mon Sep 17 00:00:00 2001
From: Tian <tian@dydx.exchange>
Date: Mon, 26 Jan 2026 11:32:05 -0800
Subject: [PATCH 1/2] upgrade cometbft and cosmos-sdk for tachyon security fix
 (#3320)

(cherry picked from commit 07b2c964e689a63d34b5e990b6c5d1fe56b79571)

# Conflicts:
#	protocol/go.mod
#	protocol/go.sum
---
 protocol/go.mod | 6 +++++-
 protocol/go.sum | 7 +++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/protocol/go.mod b/protocol/go.mod
index 1bcfea7bf0..a3add78f9a 100644
--- a/protocol/go.mod
+++ b/protocol/go.mod
@@ -470,13 +470,17 @@ replace (
 	// Use dYdX fork of Cosmos SDK/store
 	cosmossdk.io/store => github.com/dydxprotocol/cosmos-sdk/store v1.0.3-0.20240326192503-dd116391188d
 	// Use dYdX fork of CometBFT
+<<<<<<< HEAD
 	github.com/cometbft/cometbft => github.com/dydxprotocol/cometbft v0.38.6-0.20251014202517-0235a938b029
 	// Fixes the issue that `tx_search` resolves to a single entry, due to an cometbft-db interface
 	// change in v0.13.0+.
 	// TODO(CT-1343): Remove and fix properly by backporting upstream fix to cometbft fork.
 	github.com/cometbft/cometbft-db => github.com/cometbft/cometbft-db v0.12.0
+=======
+	github.com/cometbft/cometbft => github.com/dydxprotocol/cometbft v0.38.6-0.20260126154011-467083c7ba0b
+>>>>>>> 07b2c964 (upgrade cometbft and cosmos-sdk for tachyon security fix (#3320))
 	// Use dYdX fork of Cosmos SDK
-	github.com/cosmos/cosmos-sdk => github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20251014211237-3a1ba0aabac3
+	github.com/cosmos/cosmos-sdk => github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20260126162345-69ba38d4ae69
 	github.com/cosmos/iavl => github.com/dydxprotocol/iavl v1.1.1-0.20240509161911-1c8b8e787e85
 )
 
diff --git a/protocol/go.sum b/protocol/go.sum
index 04546b9301..1aa65f2c00 100644
--- a/protocol/go.sum
+++ b/protocol/go.sum
@@ -956,10 +956,17 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/dvsekhvalnov/jose2go v1.6.0 h1:Y9gnSnP4qEI0+/uQkHvFXeD2PLPJeXEL+ySMEA2EjTY=
 github.com/dvsekhvalnov/jose2go v1.6.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
+<<<<<<< HEAD
 github.com/dydxprotocol/cometbft v0.38.6-0.20251014202517-0235a938b029 h1:jgRwHeeMpPahMyWUvBT0TIdAo7M9y6CXLzF7ZZzYstg=
 github.com/dydxprotocol/cometbft v0.38.6-0.20251014202517-0235a938b029/go.mod h1:XSQX1hQbr54qaJb4/5YNNZGXkAQHHa6bi/KMcN1SQ7w=
 github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20251014211237-3a1ba0aabac3 h1:VzjChSIDsDua0WjFoHb+bqodgeAMBPsflNS7ot14TQU=
 github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20251014211237-3a1ba0aabac3/go.mod h1:PqtaF8C4fKHmDIvrdc7GBpZKsRkjihCJxq0gOlt2k98=
+=======
+github.com/dydxprotocol/cometbft v0.38.6-0.20260126154011-467083c7ba0b h1:zimy9cByNdNEXMtcq0MLgS1/1SNudK2t9gGIW/Rv9co=
+github.com/dydxprotocol/cometbft v0.38.6-0.20260126154011-467083c7ba0b/go.mod h1:XSQX1hQbr54qaJb4/5YNNZGXkAQHHa6bi/KMcN1SQ7w=
+github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20260126162345-69ba38d4ae69 h1:yppKvzPXeXJeTnJQGm4q3W2QykVs9ogKAzPdoBwntLk=
+github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20260126162345-69ba38d4ae69/go.mod h1:LPTAFgqFNHEbp7hQG16uSIEw5GpwXT5QMbX+oI0CMfA=
+>>>>>>> 07b2c964 (upgrade cometbft and cosmos-sdk for tachyon security fix (#3320))
 github.com/dydxprotocol/cosmos-sdk/store v1.0.3-0.20240326192503-dd116391188d h1:HgLu1FD2oDFzlKW6/+SFXlH5Os8cwNTbplQIrQOWx8w=
 github.com/dydxprotocol/cosmos-sdk/store v1.0.3-0.20240326192503-dd116391188d/go.mod h1:zMcD3hfNwd0WMTpdRUhS3QxoCoEtBXWeoKsu3iaLBbQ=
 github.com/dydxprotocol/iavl v1.1.1-0.20240509161911-1c8b8e787e85 h1:5B/yGZyTBX/OZASQQMnk6Ms/TZja56MYd8OBaVc0Mho=

From 6ebc13b001d3dfc8633532643a809c81858a54ef Mon Sep 17 00:00:00 2001
From: Tian Qin <tian@dydx.exchange>
Date: Mon, 26 Jan 2026 15:08:02 -0500
Subject: [PATCH 2/2] fix merge conflict

---
 protocol/go.mod | 6 +-----
 protocol/go.sum | 7 -------
 2 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/protocol/go.mod b/protocol/go.mod
index a3add78f9a..60bfc8a458 100644
--- a/protocol/go.mod
+++ b/protocol/go.mod
@@ -470,15 +470,11 @@ replace (
 	// Use dYdX fork of Cosmos SDK/store
 	cosmossdk.io/store => github.com/dydxprotocol/cosmos-sdk/store v1.0.3-0.20240326192503-dd116391188d
 	// Use dYdX fork of CometBFT
-<<<<<<< HEAD
-	github.com/cometbft/cometbft => github.com/dydxprotocol/cometbft v0.38.6-0.20251014202517-0235a938b029
+	github.com/cometbft/cometbft => github.com/dydxprotocol/cometbft v0.38.6-0.20260126154011-467083c7ba0b
 	// Fixes the issue that `tx_search` resolves to a single entry, due to an cometbft-db interface
 	// change in v0.13.0+.
 	// TODO(CT-1343): Remove and fix properly by backporting upstream fix to cometbft fork.
 	github.com/cometbft/cometbft-db => github.com/cometbft/cometbft-db v0.12.0
-=======
-	github.com/cometbft/cometbft => github.com/dydxprotocol/cometbft v0.38.6-0.20260126154011-467083c7ba0b
->>>>>>> 07b2c964 (upgrade cometbft and cosmos-sdk for tachyon security fix (#3320))
 	// Use dYdX fork of Cosmos SDK
 	github.com/cosmos/cosmos-sdk => github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20260126162345-69ba38d4ae69
 	github.com/cosmos/iavl => github.com/dydxprotocol/iavl v1.1.1-0.20240509161911-1c8b8e787e85
diff --git a/protocol/go.sum b/protocol/go.sum
index 1aa65f2c00..30a8584b20 100644
--- a/protocol/go.sum
+++ b/protocol/go.sum
@@ -956,17 +956,10 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/dvsekhvalnov/jose2go v1.6.0 h1:Y9gnSnP4qEI0+/uQkHvFXeD2PLPJeXEL+ySMEA2EjTY=
 github.com/dvsekhvalnov/jose2go v1.6.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
-<<<<<<< HEAD
-github.com/dydxprotocol/cometbft v0.38.6-0.20251014202517-0235a938b029 h1:jgRwHeeMpPahMyWUvBT0TIdAo7M9y6CXLzF7ZZzYstg=
-github.com/dydxprotocol/cometbft v0.38.6-0.20251014202517-0235a938b029/go.mod h1:XSQX1hQbr54qaJb4/5YNNZGXkAQHHa6bi/KMcN1SQ7w=
-github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20251014211237-3a1ba0aabac3 h1:VzjChSIDsDua0WjFoHb+bqodgeAMBPsflNS7ot14TQU=
-github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20251014211237-3a1ba0aabac3/go.mod h1:PqtaF8C4fKHmDIvrdc7GBpZKsRkjihCJxq0gOlt2k98=
-=======
 github.com/dydxprotocol/cometbft v0.38.6-0.20260126154011-467083c7ba0b h1:zimy9cByNdNEXMtcq0MLgS1/1SNudK2t9gGIW/Rv9co=
 github.com/dydxprotocol/cometbft v0.38.6-0.20260126154011-467083c7ba0b/go.mod h1:XSQX1hQbr54qaJb4/5YNNZGXkAQHHa6bi/KMcN1SQ7w=
 github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20260126162345-69ba38d4ae69 h1:yppKvzPXeXJeTnJQGm4q3W2QykVs9ogKAzPdoBwntLk=
 github.com/dydxprotocol/cosmos-sdk v0.50.6-0.20260126162345-69ba38d4ae69/go.mod h1:LPTAFgqFNHEbp7hQG16uSIEw5GpwXT5QMbX+oI0CMfA=
->>>>>>> 07b2c964 (upgrade cometbft and cosmos-sdk for tachyon security fix (#3320))
 github.com/dydxprotocol/cosmos-sdk/store v1.0.3-0.20240326192503-dd116391188d h1:HgLu1FD2oDFzlKW6/+SFXlH5Os8cwNTbplQIrQOWx8w=
 github.com/dydxprotocol/cosmos-sdk/store v1.0.3-0.20240326192503-dd116391188d/go.mod h1:zMcD3hfNwd0WMTpdRUhS3QxoCoEtBXWeoKsu3iaLBbQ=
 github.com/dydxprotocol/iavl v1.1.1-0.20240509161911-1c8b8e787e85 h1:5B/yGZyTBX/OZASQQMnk6Ms/TZja56MYd8OBaVc0Mho=