Skip to content

ckb: Transaction header_deps validation issue (network forking)

Critical severity GitHub Reviewed Published Nov 2, 2022 in nervosnetwork/ckb • Updated Jan 8, 2023

Package

cargo ckb (Rust)

Affected versions

<= 0.101.0

Patched versions

0.101.1

Description

Impact

fn HeaderChecker#check_valid skipped main chain checking after this PR: https://github.com/nervosnetwork/ckb/pull/1646/files#diff-c4e017b67c1b3005ca0c446a9b0879571aa36a858b1f7ddd1b9328a884e3214bR171-R176

It will cause network forking if one transaction is using a forked block header which is not exists in local node's storage.

Patches

0.101.1 and later versions

References

@doitian doitian published to nervosnetwork/ckb Nov 2, 2022
Published to the GitHub Advisory Database Nov 2, 2022
Reviewed Nov 2, 2022
Last updated Jan 8, 2023

Severity

Critical

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-7fw6-6mfj-g3q2

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.