Beware of Malicious Actors on Cardano’s Hydra Protocol

CVECVE-2023-42449
CVSScvssV3_1: 8.1
SourceCVE-2023-42449

Cardano’s Hydra protocol, which aims to scale the blockchain through layer-2 solutions, was found to have a vulnerability prior to version 0.13.0 that could allow malicious actors to exploit users.

The issue lies in the protocol’s initialization process, where a “head initializer” is responsible for setting up a new scaling instance called a “head”. Unfortunately, the code did not properly validate data during this stage, allowing the initializer to steal “payment tokens” (PTs) meant for other participants.

With a stolen PT, the attacker could then lock users’ committed funds indefinitely, or even spoof transactions to steal ADA directly from other users. They could claim to have made a deposit of a certain amount, like 100 ADA, but instead force anyone wanting to access the funds to pay the attacker without the funds ever being provided.

Luckily, IOHK has addressed this vulnerability in Cardano version 0.13.0. But it serves as a reminder that decentralized protocols require diligence from all parties.

If you participate in Hydra, be wary of initializers requesting funds during head setup. And stay on top of software updates to protect yourself from exploits. With open collaboration on security, Cardano aims to provide a safe environment for all.

References