Missing Validation of Priorities in Validateset in Header and Many Other Known Issues are Unsolved

[Hellobloc]

The header hash was generated with a missing hash of the validateset's priorities information. A malicious user could modify the priorities without causing a state hash validation error. Remarkably this is a known issue in Cometbft that breaks the state hash validation for priorities. https://github.com/polynetwork/poly/blob/master/native/service/header_sync/polygon/types/heimdall_validator_set.go#L325-L334

/types/validator.go
type Validator struct {
    Address     Address       `json:"address"`
    PubKey      crypto.PubKey `json:"pub_key"`
    VotingPower int64         `json:"voting_power"`

    ProposerPriority int64 `json:"proposer_priority"`
}
...
types/validator_set.go
func (vals *ValidatorSet) Hash() []byte {
    bzs := make([][]byte, len(vals.Validators))
    for i, val := range vals.Validators {
        bzs[i] = val.Bytes()
    }
    return merkle.HashFromByteSlices(bzs)
}
...
/types/validator.go
func (v *Validator) Bytes() []byte {
    pk, err := ce.PubKeyToProto(v.PubKey)
    if err != nil {
        panic(err)
    }

    pbv := cmtproto.SimpleValidator{
        PubKey:      &pk,
        VotingPower: v.VotingPower,
    }//missing ProposerPriority

    bz, err := pbv.Marshal()
    if err != nil {
        panic(err)
    }
    return bz
}

Polynetwork implemented its own consensus protocol using cometbft's fork project, but many of the flaws that were fixed in cometbft were not fixed by that project, and this issue is one of them. More information is shown below： Other Unsolved issues' Fix PR and Commits: https://github.com/cometbft/cometbft/pull/3984 https://github.com/cometbft/cometbft/pull/3369 https://github.com/cometbft/cometbft/commit/d766d20c0609e3018e26f30aadf91bd322f8cad9 https://github.com/cometbft/cometbft/pull/890 https://github.com/cometbft/cometbft/pull/865

[Hellobloc]

@tanZiWen @siovanus