CVE-2023-42449

Name of the Vulnerable Software and Affected Versions Hydra versions prior to 0.13.0

Description The issue arises from incorrect data validation logic in the head token minting policy, which results in a flawed check for burning the head ST in the initial validator. This is possible because it is not checked in HeadTokens.hs that the datums of the outputs at the initial validator are equal to the real head ID, and it is also not checked in the off-chain code. A malicious head initializer can extract one or more PTs for the head they are initializing, allowing them to lock other participants' committed funds forever or until they choose to return the PT. The malicious initializer can also use the PT to spoof that they have committed a particular TxO when progressing the head into the Open state, forcing other participants to pay the attacker out of their own funds.

Recommendations For versions prior to 0.13.0, update to version 0.13.0 to fix the issue. As a temporary workaround, consider restricting access to the initial validator and the collectCom transaction to minimize the risk of exploitation. Avoid using the Commit datum in the collectCom transaction until the issue is resolved.