CVE-2023-42448

Name of the Vulnerable Software and Affected Versions Hydra versions prior to 0.13.0

Description Hydra is the layer-two scalability solution for Cardano. The issue arises because the contestation period in the datum of the UTxO at the head validator must stay unchanged as the state progresses from Open to Closed, but no such check appears to be performed in the checkClose function of the head validator. This would allow a malicious participant to modify the contestation deadline of the head to either allow them to fanout the head without giving another participant the chance to contest, or prevent any participant from ever redistributing the funds locked in the head via a fan-out.

Recommendations For versions prior to 0.13.0, update to version 0.13.0 to resolve the issue. As a temporary workaround, consider restricting access to the checkClose function of the head validator until the patch is applied. Additionally, avoid modifying the contestation deadline of the head to prevent potential exploitation.