EUVD-2023-42478

Malicious code in bioql PyPI...

EUVD-2023-46895

Malicious code in bioql PyPI...

CVE-2025-48886

Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those...

CVE-2025-48886 hydra-node dangerously assumes L1 event finality and does not consider failed transactions

Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those...

CVE-2025-48886 hydra-node dangerously assumes L1 event finality and does not consider failed transactions

Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those...

Design/Logic Flaw

Hydra is the two-layer scalability solution for Cardano. Prior to version 0.13.0, it is possible for a malicious head initializer to extract one or more PTs for the head they are initializing due to incorrect data validation logic in the head token minting policy which then results in an flawed...

CVE-2023-42449

Hydra (Cardano) prior to v0.13.0 has an input validation flaw in the head initialiser that lets a malicious head initialiser extract PTs for the head being initialised, bypassing checks in HeadTokens.hs and off‑chain code. This can enable the attacker to lock other participants’ committed funds (...

CVE-2023-42448 Hydra's contestation period in head datum can be modified during Close transaction, allowing malicious participant to freely modify the contestation deadline

Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, the specification states that the contestation period in the datum of the UTxO at the head validator must stay unchanged as the state progresses from Open to Closed Close transaction, but no such check appears to be...

CVE-2023-38701

CVE-2023-38701 (Hydra) affects Hydra’s head protocol on Cardano. Before v0.12.0, the commit validator and the initial validator contain a flawed check when the ViaAbort redeemer is used, allowing any user to arbitrarily spend UTxOs at the validator. This enables an attacker to steal funds users c...

CVE-2023-42806 Snapshot signature not including HeadID will allow replay attacks

Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, not signing and verifying $\mathsfcid$ allows an attacker which must be a participant of this head to use a snapshot from an old head instance with the same participants to close the head or contest the state with i...