Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
BLS Signature "Malleability"
Vulnerability Description
Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 unique byte arrays. Lotus block validation functions perform a uniqueness check on provided blocks. Two blocks are considered distinct if the CIDs of their blockheader do not match. The CID method for blockheader includes the BlockSig of the block. The result of these issues is that it would be possible to punish miners for valid blocks, as there are two different valid block CIDs available for each block, even though this must be unique. By switching from the go based `blst` bindings over to the bindings in `filecoin-ffi`, the code paths now ensure that all signatures are compressed by size and the way they are deserialized. This happened in https://github.com/filecoin-project/lotus/pull/5393.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
Łukasz Magiera lotus 数据伪造问题漏洞
Vulnerability Description
Łukasz Magiera lotus是Łukasz Magiera开源的一个应用软件。Filecoin分布式存储网络的实现。 Lotus 存在安全漏洞,Lotus块验证函数对所提供的块执行唯一性检查。
CVSS Information
N/A
Vulnerability Type
N/A