CVE-2024-34360

Name of the Vulnerable Software and Affected Versions go-spacemesh versions prior to 1.5.2-hotfix1 Spacemesh API versions prior to 1.37.1

Description The issue allows nodes to publish activations transactions (ATXs) that reference an incorrect previous ATX of the Smesher that created the ATX. This breaks the protocol rule that ATXs should form a single chain from the newest to the first ATX ever published by an identity. As a result, nodes can be rewarded for holding their PoST data for less than one epoch while still being eligible for rewards, serving as an attack vector.

Recommendations For go-spacemesh versions prior to 1.5.2-hotfix1, update to version 1.5.2-hotfix1 to fix the vulnerability. For Spacemesh API versions prior to 1.37.1, update to version 1.37.1 to fix the vulnerability. As a temporary workaround, consider restricting the ability to publish ATXs that reference an earlier ATX as previous until a patch is available.