CVE-2023-42449

Hydra is the two-layer scalability solution for Cardano. Prior to version 0.13.0, it is possible for a malicious head initializer to extract one or more PTs for the head they are initializing due to incorrect data validation logic in the head token minting policy which then results in an flawed check for burning the head ST in the initial validator. This is possible because it is not checked in HeadTokens.hs that the datums of the outputs at the initial validator are equal to the real head ID, and it is also not checked in the off-chain code.

During the Initial state of the protocol, if the malicious initializer removes a PT from the Hydra scripts it becomes impossible for any other participant to reclaim any funds they have attempted to commit into the head, as to do so the Abort transaction must burn all the PTs for the head, but they cannot burn the PT which the attacker controls and so cannot satisfy this requirement. That means the initializer can lock the other participants committed funds forever or until they choose to return the PT (ransom).

The malicious initializer can also use the PT to spoof that they have committed a particular TxO when progressing the head into the Open state. For example, they could say they committed a TxO residing at their address containing 100 ADA, but in fact this 100 ADA was not moved into the head, and thus in order for an other participant to perform the fanout they will be forced to pay the attacker the 100 ADA out of their own funds, as the fanout transaction must pay all the committed TxOs (even though the attacker did not really commit that TxO). They can do this by placing the PT in a UTxO with a well-formed Commit datum with whatever contents they like, then use this UTxO in the collectCom transaction. There may be other possible ways to abuse having control of a PT.

Version 0.13.0 fixes this issue.