Iulianpascalau

**Name of the Vulnerable Software and Affected Versions** mx-chain-go versions prior to 1.4.17 **Description** The issue occurs when executing a relayed transaction in mx-chain-go, the official implementation of the MultiversX blockchain protocol. If the inner transaction fails, it increases the inner transaction's sender account nonce, potentially contributing to a limited Denial of Service (DoS) attack on a targeted account. This is a strict processing issue that happens while validating blocks on a chain. **Recommendations** For versions prior to 1.4.17, update to version 1.4.17 or later to resolve the issue. As a temporary workaround, consider restricting the use of relayed transactions until the update is applied. Avoid using the `RelayedNonceFixEnableEpoch` flag in versions prior to 1.4.17, as it is not applicable.

**Name of the Vulnerable Software and Affected Versions** mx-chain-go versions prior to 1.4.16 **Description** The metachain cannot process a cross-shard miniblock. An invalid transaction with the wrong username on metachain is not treated correctly on the metachain transaction processor, which is a processing issue that could have occurred on the MultiversX chain. If such an error occurred, the metachain would have stopped notarizing blocks from the shard chains. The resuming of notarization is possible only after applying a patched binary version. A patch introduces `processIfTxErrorCrossShard` for the metachain transaction processor. **Recommendations** For versions prior to 1.4.16, update to version 1.4.16 or later, which includes the patch introducing `processIfTxErrorCrossShard` for the metachain transaction processor. As a temporary workaround, consider disabling the metachain transaction processor until a patched binary version is applied.

**Name of the Vulnerable Software and Affected Versions** Elrond-GO versions prior to 1.3.50 **Description** The issue is a processing problem where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. This occurs due to a bad correlation between the transaction caches and the processing component. If a transaction is sent with more gas than required, the smart contract result (SCR transaction) that should return the leftover gas is wrongly added to a cache that the processing unit does not consider, causing the node to stop notarizing metachain blocks. The fix involves extending the SCR transaction search in all other caches if it isn't found in the correct sharded-cache. **Recommendations** For versions prior to 1.3.50, update to version 1.3.50 or later to resolve the issue. As a temporary workaround, consider extending the SCR transaction search in all other caches if it wasn't found in the correct sharded-cache, until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Elrond go versions prior to 1.3.35 **Description** The issue concerns read-only calls between contracts in the Elrond Network protocol, which can generate smart contract results and alter the state of the called contract as if the call was not made in read-only mode. This can lead to unintended effects not designed by the original smart contract programmers. **Recommendations** For versions prior to 1.3.35, update to version 1.3.35 or higher to resolve the issue. At the moment, there are no known workarounds for this issue.

**Name of the Vulnerable Software and Affected Versions** elrond-go versions prior to 1.3.34 **Description** The issue affects elrond-go, the go implementation for the Elrond Network protocol. In affected versions, processing blocks that contain a `MultiESDTNFTTransfer` transaction with a missing function name could cause problems. Basic functionality like p2p messaging, storage, and API requests are unaffected. **Recommendations** For versions prior to 1.3.34, update to version 1.3.34 or higher to resolve the issue. As a temporary workaround, consider avoiding the processing of blocks that contain `MultiESDTNFTTransfer` transactions with missing function names until a patch is applied. No other workarounds are available.