GHSA-v666-6w97-pcwm: Miner fails to get block template when a cell used as a cell dep has been destroyed.

August 25, 2021

The RPC get_block_template fails when a cell has been used as a cell dep and an input in the different transactions.

Say cell C is used as a dep group in the transaction A, and is destroyed in the transaction B.

The node adds transaction A first, then B into the transaction pool. They are both valid. But when generating the block template, if the fee rate of B is higher, it comes before A, which will invalidate A. Currently the RPC get_block_template will fail instead of dropping A.

References

github.com/advisories/GHSA-v666-6w97-pcwm
github.com/nervosnetwork/ckb/security/advisories/GHSA-v666-6w97-pcwm
rustsec.org/advisories/RUSTSEC-2021-0107.html

Detect and mitigate GHSA-v666-6w97-pcwm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →