CVE-2021-45698

Vulnerability

An issue in the ckb crate before version 0.40.0 for Rust causes the get_block_template RPC call to fail when a cell is used as a cell dep in one transaction and destroyed as an input in another transaction ([2], [4]). The failure occurs specifically when the transaction destroying the cell has a higher fee rate than the transaction using it as a dep. Affected versions: all prior to 0.40.0.

Exploitation

An attacker can trigger this vulnerability by submitting two conflicting transactions to the node's transaction pool: transaction A that uses a cell C as a cell dep, and transaction B that destroys cell C as an input. If transaction B has a higher fee rate than A, the node, when generating a block template, will attempt to include B before A, causing the RPC to fail instead of dropping A ([2], [4]). The attacker only needs the ability to submit transactions to the pool; no special network position or authentication is required beyond that of a normal user.

Impact

Successful exploitation results in a denial of service for miners attempting to create block templates. The get_block_template RPC fails repeatedly, potentially stalling block production until the conflicting transactions are resolved or removed from the pool. No data disclosure, code execution, or privilege escalation occurs.

Mitigation

The vulnerability is fixed in ckb version 0.40.0, released on July 25, 2021 ([2], [4]). Users should upgrade to 0.40.0 or later. Workarounds include ensuring that the transaction destroying a cell dep has a lower fee rate than the dependent transaction, or explicitly making the destroying transaction depend on an output of the dependent transaction by using it as a dep cell or input. Merging both transactions into one is also effective, as CKB allows using the same cell as both dep and input in the same transaction ([4]).