Skip to content

ckb: Large dep group requires a lot of resources to process but the cost to commit the transaction is very low.

Moderate severity GitHub Reviewed Published Nov 2, 2022 in nervosnetwork/ckb • Updated Jan 8, 2023

Package

cargo ckb (Rust)

Affected versions

< 0.43.3

Patched versions

0.43.3

Description

Impact

When a transaction contains a dep group with many cells, the resources required to process it are not linear to the transaction size nor spent script cycles.

Patches

In 0.43.3, nodes drop the transactions relayed to them when they contain a dep group with more than 64 cells. They do not ban peers who send them such transactions.

In 0.100, the consensus disallow transactions using a dep group with more than 64 cells. Peers relaying such transaction must be banned. Blocks committing such transactions must be rejected.

References

@doitian doitian published to nervosnetwork/ckb Nov 2, 2022
Published to the GitHub Advisory Database Nov 2, 2022
Reviewed Nov 2, 2022
Last updated Jan 8, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-9mfc-chwf-7whf

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.