PT-2021-24272 · Nervos · Ckb
Published
2021-07-25
·
Updated
2022-01-06
·
CVE-2021-45698
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
ckb crate versions prior to 0.40.0
Description:
An issue was discovered in the ckb crate where a
get block template RPC call may fail when selecting a Nervos CKB blockchain transaction with a higher fee rate than another transaction. This occurs when a cell has been used as a cell dep and an input in different transactions. For example, if cell C is used as a dep group in transaction A and is destroyed in transaction B, and the node adds transaction A first, then B into the transaction pool, the get block template RPC call will fail if the fee rate of B is higher.Recommendations:
For versions prior to 0.40.0, consider the following workarounds:
- Submit transaction B when A is already on chain.
- Let B depend on A explicitly by adding any output cell on A as a dep cell or input in B, or merge A and B.
- Ensure the fee rate of B is less than A so A always has higher priority.
As a temporary workaround, consider modifying the
get block templateto drop conflict transactions instead of failing.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ckb