CVE-2024-41945

Name of the Vulnerable Software and Affected Versions fuels-ts (affected versions not specified)

Description The typescript SDK has no awareness of to-be-spent transactions, causing some transactions to fail or silently get pruned as they are funded with already used UTXOs. This issue occurs because the fund function in fuels-ts/packages/account/src/account.ts gets the needed resources statelessly with the function getResourcesToSpend without taking into consideration already used UTXOs. This can lead to unexpected SDK behavior, such as a transaction not getting included in the txpool or a previous transaction silently getting removed from the txpool and replaced with a new one.

Recommendations To resolve this issue, it is recommended to add a buffer to the Account class, in which retrieved resources are saved. These can then be provided to getResourcesToSpend to be excluded from future queries but need to be removed from the buffer if their respective transaction fails to be included, in order to be able to use those resources again in such cases.

At the moment, there is no information about a newer version that contains a fix for this vulnerability.