CVE-2023-42806

Name of the Vulnerable Software and Affected Versions Hydra versions prior to 0.13.0

Description Hydra is the layer-two scalability solution for Cardano. Not signing and verifying cid allows an attacker, who must be a participant of this head, to use a snapshot from an old head instance with the same participants to close the head or contest the state with it. This can lead to an incorrect distribution of value, resulting in a value extraction attack, or prevent the head from finalizing due to inconsistent value availability, causing a denial of service.

Recommendations For versions prior to 0.13.0, as a temporary workaround, consider rotating keys between heads to avoid reusing keys and resulting in the same multi-signature participants. A patch is planned for version 0.13.0.