CVE-2024-34360: Previous ATX is not checked to be the newest valid ATX by Smesher when validating incoming ATX
Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule and can serve as an attack vector where Nodes are rewarded for holding their PoST data for less than one epoch but still being eligible for rewards.
References
- github.com/advisories/GHSA-jcqq-g64v-gcm7
- github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e
- github.com/spacemeshos/go-spacemesh
- github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87
- github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7
- nvd.nist.gov/vuln/detail/CVE-2024-34360
- spacemesh.io/blog/spacemesh-white-paper-1
Code Behaviors & Features
Detect and mitigate CVE-2024-34360 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →