Highfasmat

**Name of the Vulnerable Software and Affected Versions** go-spacemesh versions prior to 1.5.2-hotfix1 Spacemesh API versions prior to 1.37.1 **Description** The issue allows nodes to publish activations transactions (ATXs) that reference an incorrect previous ATX of the Smesher that created the ATX. This breaks the protocol rule that ATXs should form a single chain from the newest to the first ATX ever published by an identity. As a result, nodes can be rewarded for holding their PoST data for less than one epoch while still being eligible for rewards, serving as an attack vector. **Recommendations** For go-spacemesh versions prior to 1.5.2-hotfix1, update to version 1.5.2-hotfix1 to fix the vulnerability. For Spacemesh API versions prior to 1.37.1, update to version 1.37.1 to fix the vulnerability. As a temporary workaround, consider restricting the ability to publish ATXs that reference an earlier ATX as previous until a patch is available.