Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Snapshot signature not including HeadID will allow replay attacks
Vulnerability Description
Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, not signing and verifying `$\mathsf{cid}$` allows an attacker (which must be a participant of this head) to use a snapshot from an old head instance with the same participants to close the head or contest the state with it. This can lead to an incorrect distribution of value (= value extraction attack; hard, but possible) or prevent the head to finalize because the value available is not consistent with the closed utxo state (= denial of service; easy). A patch is planned for version 0.13.0. As a workaround, rotate keys between heads so not to re-use keys and not result in the same multi-signature participants.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
Hydra 数据伪造问题漏洞
Vulnerability Description
Hydra是一款渗透测试工具。 Hydra 0.13.0之前版本存在数据伪造问题漏洞,该漏洞源于允许攻击者通过使用不包括HeadID的快照签名进行重放攻击。
CVSS Information
N/A
Vulnerability Type
N/A