CVE-2023-38701

Name of the Vulnerable Software and Affected Versions Hydra versions prior to 0.12.0

Description Hydra is a layer-two scalability solution for Cardano. The issue arises when the ViaAbort redeemer is used in the commit validator, allowing any user to spend any UTxO arbitrarily, which means an attacker can steal funds that users are trying to commit into the head validator. The intended behavior is that the funds must be returned to the user who committed the funds and can only be performed by a participant of the head. The initial validator is also affected by the same flawed check. Due to this issue, an attacker can steal any funds that users try to commit into a Hydra head and prevent any Hydra head from being successfully opened. However, it does not allow an attacker to take funds that have been successfully collected into and currently reside in the head validator.

Recommendations For versions prior to 0.12.0, update to version 0.12.0 to resolve the issue. As a temporary workaround, consider restricting access to the commit and initial validators to minimize the risk of exploitation. Avoid using the ViaAbort redeemer in the affected validators until the issue is resolved.