CVE-2022-36447
Description
An inflation issue was discovered in Chia Network CAT1 Standard 1.0.0. Previously minted tokens minted on the Chia blockchain using the CAT1 standard can be inflated to an arbitrary extent by any holder of any amount of the token. The total amount of the token can be increased as high as the malicious actor pleases. This is true for every CAT1 on the Chia blockchain regardless of issuance rules. This attack is auditable on chain, so maliciously altered coins can potentially be marked by off-chain observers as malicious.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chia CAT1 token standard had an inflation bug allowing any holder to arbitrarily increase supply; mitigated by upgrading to CAT2.
Vulnerability
Overview
The Chia CAT1 Standard 1.0.0 contained a critical inflation vulnerability that allowed any holder of a CAT1 token to arbitrarily increase the total supply of that token [1][2]. The root cause was a flaw in the coin's validation logic that failed to properly enforce supply caps during token minting or transfer operations, enabling malicious actors to create tokens out of thin air [2].
Exploitation
No special privileges or network position were required; any entity holding even a single unit of any CAT1 token could exploit the bug [2]. The attack was performed by crafting a transaction that violated the intended supply constraints, and it was fully on-chain auditable, meaning the inflated coins could be identified by off-chain observers [2].
Impact
An attacker could inflate the total supply of any CAT1 token to any arbitrary amount, completely undermining the token's scarcity and value [1][2]. This affected every token issued under the CAT1 standard, regardless of its individual issuance rules [2].
Mitigation
The Chia team deprecated CAT1 at block height 2,311,760 (July 26, 2022) and released wallet version 1.5.0, which no longer supports CAT1 assets [1]. Token holders were advised to upgrade their wallets and await reissuance of assets under the new CAT2 standard, which fixed the vulnerability [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
chia-blockchainPyPI | <= 2.4.4rc3 | — |
Affected products
3- Chia Network/CAT1 Standarddescription
- Range: = 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-pvjg-jwp3-mrj5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36447ghsaADVISORY
- chia.netghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/chia-blockchain/PYSEC-2022-43072.yamlghsaWEB
- www.chia.net/2022/07/25/upgrading-the-cat-standard.en.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.