Vulnerabilities in input-output-hk
4 resultsCVE-2023-38701CRITICALHydra's committed UTxOs at Commit validator and UTxOs at Initial validator can be spent arbitrarily by anyoneEPSS 0.9%CVE-2023-42449HIGHMalicious head initialiser can extract PTs from control of Hydra scripts, leading to locked participant commits or spoofed commitsEPSS 0.9%CVE-2023-42448HIGHHydra's contestation period in head datum can be modified during Close transaction, allowing malicious participant to freely modify the contestation deadlineEPSS 0.8%CVE-2023-42806MEDIUMSnapshot signature not including HeadID will allow replay attacksEPSS 0.4%