43 matches found
EUVD-2022-0568
Malicious code in bioql PyPI...
EUVD-2022-0528
Malicious code in bioql PyPI...
EUVD-2022-0422
Malicious code in bioql PyPI...
CVE-2021-45699
An issue was discovered in the ckb crate before 0.40.0 for Rust. Remote attackers may be able to conduct a 51% attack against the Nervos CKB blockchain by triggering an inability to allocate memory for the misbehavior HashMap...
Nervos CKB Permit load cell data from memory
Impact The faulty nodes will reject transactions which calls loadcelldata syscall but the input cell is still in the mempool. They also ban other nodes and cause the network separation. Patches 0.35.2, 0.36.1, 0.37.1, 0.38.2...
GHSA-29C2-65RJ-H343 Nervos CKB Permit load cell data from memory
Impact The faulty nodes will reject transactions which calls loadcelldata syscall but the input cell is still in the mempool. They also ban other nodes and cause the network separation. Patches 0.35.2, 0.36.1, 0.37.1, 0.38.2...
GHSA-H4C3-5275-VRMG Nervos CKB Pool does not remove the conflicting transactions from the statistics
Impact There's a bug in the pool statistics that when conflicting transactions are removed from the pool, they are not subtracted from the statics. Finally, the transaction pool keeps full and reject all transactions. Patches 0.39.2 Workarounds Restart the CKB node...
Nervos CKB Pool does not remove the conflicting transactions from the statistics
Impact There's a bug in the pool statistics that when conflicting transactions are removed from the pool, they are not subtracted from the statics. Finally, the transaction pool keeps full and reject all transactions. Patches 0.39.2 Workarounds Restart the CKB node...
GHSA-Q73F-W3H7-7WCC Nervos CKB Transaction which calls syscall load_cell_data_hash has nondeterministic result
Impact Tx-pool verify transaction which inputs' script contains loadcelldatahash is nondeterministic Workarounds Enforce tx-pool ResolvedTrascation inputs' load data is none...
Nervos CKB Transaction which calls syscall load_cell_data_hash has nondeterministic result
Impact Tx-pool verify transaction which inputs' script contains loadcelldatahash is nondeterministic Workarounds Enforce tx-pool ResolvedTrascation inputs' load data is none...
Nervos CKB Snappy decompress length can be very large and causes out of memory error
Impact Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of...
GHSA-3GJH-29FV-8HR6 Nervos CKB Snappy decompress length can be very large and causes out of memory error
Impact Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of...
Nervos CKB Panic on malformed input
Impact CKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages References https://github.com/BurntSushi/rust-snappy/issues/29...
GHSA-WJXC-PJX9-4WVM Nervos CKB Panic on malformed input
Impact CKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages References https://github.com/BurntSushi/rust-snappy/issues/29...
Nervos CKB node panics when processing a block which parent timestamp is too new
Impact Adversary can initiate DOS attack by broadcasting two consecutive blocks with timestamps in the future. Patches Please upgrade to v0.34.1...
Nervos CKB BlockTimeTooNew should not be considered as invalid block
Impact Currently, when a node receives a block in future according to its local wall clock, it will mark the block as invalid and ban the peer. If the header's timestamp is more than 15 seconds ahead of our current time. In that case, the header may become valid in the future, and we don't want t...
GHSA-R9RV-9MH8-PXF4 Nervos CKB BlockTimeTooNew should not be considered as invalid block
Impact Currently, when a node receives a block in future according to its local wall clock, it will mark the block as invalid and ban the peer. If the header's timestamp is more than 15 seconds ahead of our current time. In that case, the header may become valid in the future, and we don't want t...
Nervos CKB DoS: Process exists when p2p discovery protocol receives unsupported peer IP
The p2p discovery protocol assumes that the peer IP must be valid IPv4 address...
GHSA-PR39-8257-FXC2 Nervos CKB DoS: Process exists when p2p discovery protocol receives unsupported peer IP
The p2p discovery protocol assumes that the peer IP must be valid IPv4 address...
GHSA-84X2-2QV6-QG56 Nervos CKB P2P DoS Attacks
The P2P protocols lack of rate limit. For example, in relay protocol, when a node receives a broadcasted txhashes, it will mark it in memory to avoid duplicated requests. code → . It is easy to establish a DoS attach by generating random tx hashes. Impact It affects all nodes connected to the P2P...