Opening an IBC connection with hermes or rly fails because the light-client verification detects a mismatched header signature.
Hermes error:
2025-05-26T12:15:08.036353Z ERROR ThreadId(01) failed ConnOpenTry ConnectionSide { chain: BaseChainHandle { chain_id: gm }, client_id: 07-tendermint-0, connection_id: None }: failed during an operation on client '07-tendermint-4' hosted by chain 'localnet-1': error raised while updating client on chain localnet-1: failed building header with error: light client verification error for chain id gm: invalid light block: invalid commit value: header_hash=7C674D370AADFCBAACB73B67F9F238DAFDCAD8CFCE110E0E708DBA8D5ED9649E commit_hash=147B3C7D99339CC7B4691C9CBBCE46C0C515D8A31B436DEA5D62F7EAB60689C6
Go relayer:
2025-05-26T12:06:11.230184Z info Failed to get light signed headers {"src_chain_id": "localnet-1", "src_height": 1576, "dst_chain_id": "gm", "dst_height": 102, "attempt": 3, "max_attempts": 5, "error": "client provided bad signed header: invalid signed header: commit signs block F2EA44FAC1D7BC0A1C203B937516D778FA4120D440245BA000B7F26AAD5DE416, header is block 75AAFFA8CDFF8938BCB6D3B668C7E4E7BD4E9535CB95111E4D0FF996B36627BD"}
Steps to Reproduce
- Spin up 2 networks, one with rollkit and the other a normal Cosmos SDK.
- Create light-client entries on each side.
- Execute
hermes create connection (or the equivalent rly tx command).
- Observe the failure in step 3 with the log shown above.
Root Cause
When the execution layer was split, several header fields stopped being populated consistently across Rollkit and ABCI layers.
| Field |
Current status |
LastCommitHash |
Missing / wrong |
ValidatorsHash |
Missing / wrong |
| Header payload used for signature |
Inconsistent |
HeaderHash |
Inconsistent |
Because these values diverge, CometBFT produces a commit that signs one block hash while the relayer fetches a header with a different hash, triggering light-client rejection.
Proposed Fix
- Populate missing fields in the
/block RPC response
LastCommitHashValidatorsHash
- Expose an interface in the Rollkit layer that lets Rollkit delegate generation of:
ValidatorsHash- Header payload for the signature
HeaderHash
- Avoid Comet dependencies leak to rollkit
Acceptance Criteria
Opening an IBC connection with hermes or rly fails because the light-client verification detects a mismatched header signature.
Hermes error:
Go relayer:
Steps to Reproduce
hermes create connection(or the equivalentrly txcommand).Root Cause
When the execution layer was split, several header fields stopped being populated consistently across Rollkit and ABCI layers.
LastCommitHashValidatorsHashHeaderHashBecause these values diverge, CometBFT produces a commit that signs one block hash while the relayer fetches a header with a different hash, triggering light-client rejection.
Proposed Fix
/blockRPC responseLastCommitHashValidatorsHashValidatorsHashHeaderHashAcceptance Criteria
hermes create connection(and the equivalentrlyhandshake) succeeds end-to-end on fresh networks./blockRPC endpoint returns fully-populated header fields matching CometBFT expectations.