VYPR
Unrated severityNVD Advisory· Published Sep 21, 2023· Updated Sep 24, 2024

Snapshot signature not including HeadID will allow replay attacks

CVE-2023-42806

Description

Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, not signing and verifying $\mathsf{cid}$ allows an attacker (which must be a participant of this head) to use a snapshot from an old head instance with the same participants to close the head or contest the state with it. This can lead to an incorrect distribution of value (= value extraction attack; hard, but possible) or prevent the head to finalize because the value available is not consistent with the closed utxo state (= denial of service; easy). A patch is planned for version 0.13.0. As a workaround, rotate keys between heads so not to re-use keys and not result in the same multi-signature participants.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Ory/Hydrallm-fuzzy
    Range: <0.13.0
  • input-output-hk/hydrav5
    Range: < 0.13.0

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.