漏洞标题
在验证接收到的ATX时,Smesher不会检查之前的ATX是否是最新的有效ATX。
漏洞描述信息
go-spacemesh是Spacemesh协议全节点的Go实现。节点可以发布激活交易(ATX),这些交易引用了创建ATX的Smesher的错误的前一个ATX。预计ATX将以最新到最早由身份发布的ATX的单链形式存在。允许Smesher引用更早(但不是最新的)ATX作为前一个ATX,这违反了该协议规则,并可能成为一种攻击向量,其中节点在保持PoST数据少于一个epoch的情况下仍可获得奖励。此漏洞已在go-spacemesh 1.5.2-hotfix1和Spacemesh API 1.37.1中修复。
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
漏洞类别
未加控制的资源消耗(资源穷尽)
漏洞标题
Previous ATX is not checked to be the newest valid ATX by Smesher when validating incoming ATX
漏洞描述信息
go-spacemesh is a Go implementation of the Spacemesh protocol full node. Nodes can publish activations transactions (ATXs) which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule and can serve as an attack vector where Nodes are rewarded for holding their PoST data for less than one epoch but still being eligible for rewards. This vulnerability is fixed in go-spacemesh 1.5.2-hotfix1 and Spacemesh API 1.37.1.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
漏洞类别
对因果或异常条件的不恰当检查
漏洞标题
go-spacemesh 代码问题漏洞
漏洞描述信息
go-spacemesh是Spacemesh开源的一个 Go Spacemesh 协议全节点的实现。 go-spacemesh 1.37.1之前版本存在代码问题漏洞,该漏洞源于在验证传入ATX时未将以前的ATX检查为最新的有效ATX。
CVSS信息
N/A
漏洞类别
代码问题