CVE-2023-42806
MEDIUMHydra < 0.13.0 - Cryptographic Signature Verification Bypass via Unsigned CID
Title source: llmDescription
Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, not signing and verifying `$\mathsf{cid}$` allows an attacker (which must be a participant of this head) to use a snapshot from an old head instance with the same participants to close the head or contest the state with it. This can lead to an incorrect distribution of value (= value extraction attack; hard, but possible) or prevent the head to finalize because the value available is not consistent with the closed utxo state (= denial of service; easy). A patch is planned for version 0.13.0. As a workaround, rotate keys between heads so not to re-use keys and not result in the same multi-signature participants.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/input-output-hk/hydra/security/advisories/GHSA-gr36-mc6v-72qq
Product x_refsource_misc
https://github.com/input-output-hk/hydra/blob/ec6c7a2ab651462228475d0b34264e9a182c22bb/hydra-node/src/Hydra/HeadLogic.hs#L357
Scores
CVSS v3
6.5
EPSS
0.0041
EPSS Percentile
32.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-347
Status
published
Products (1)
iohk/hydra
< 0.13.0
Published
Sep 21, 2023
Tracked Since
Feb 18, 2026