CVE-2021-45699

Name of the Vulnerable Software and Affected Versions: ckb crate versions prior to 0.40.0

Description: The issue allows remote attackers to conduct a 51% attack against the Nervos CKB blockchain by triggering an inability to allocate memory for the misbehavior HashMap. In the ckb sync protocol, a HashMap called 'misbehavior' maintains a score of a peer's violations of the protocol, keyed to PeerIndex, and entries are never removed from it. A remote attacker can manipulate this HashMap to grow forever, resulting in degraded performance and ultimately a panic on allocation failure or being killed by the OS. This could be exploited to create a targeted or network-wide denial of service, to reduce the hash power of the network as part of a 51% attack.

Recommendations: For versions prior to 0.40.0, update to version 0.40.0 or later to resolve the issue. As a temporary workaround, consider implementing measures to limit the growth of the 'misbehavior' HashMap, such as removing entries after a certain period of inactivity or implementing rate limiting on new connections. Restrict access to the ckb sync protocol to minimize the risk of exploitation. Avoid using the SendHeaders request for non-consecutive blocks until the issue is resolved.