Login Sign Up

CVE-2023-38701

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in Hydra (Cardano's layer-2 scalability solution) allows attackers to steal funds that users are trying to commit to Hydra heads and prevent Hydra heads from opening. The flaw is in the commit validator's ViaAbort redeemer check, which permits unauthorized spending of committed UTxOs. All Hydra users attempting to commit funds are affected.

💻 Affected Systems

Products:
  • Hydra (Cardano layer-2 solution)
Versions: All versions prior to 0.12.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Hydra deployments using the vulnerable commit validator are affected regardless of configuration.

📦 What is this software?

Hydra by Iohk

View all CVEs affecting Hydra →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal all funds users attempt to commit to any Hydra head, causing total loss of committed assets and preventing all Hydra head operations.

🟠

Likely Case

Opportunistic attackers target vulnerable Hydra heads to steal committed funds, particularly during periods of high transaction activity.

🟢

If Mitigated

With proper monitoring and quick response, losses are limited to small amounts before detection and mitigation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in the smart contract logic and requires blockchain transaction submission but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.0

Vendor Advisory: https://github.com/input-output-hk/hydra/security/advisories/GHSA-6x9v-7x5r-w8w6

Restart Required: Yes

Instructions:

1. Stop all Hydra services. 2. Update to Hydra version 0.12.0 or later. 3. Restart Hydra services. 4. Verify the new version is running.

🔧 Temporary Workarounds

Disable Hydra head operations

all

Temporarily stop all Hydra head commit operations to prevent fund exposure.

# Stop Hydra services
systemctl stop hydra-node
# Or equivalent service management command

🧯 If You Can't Patch

  • Monitor for unauthorized ViaAbort transactions and implement emergency response procedures
  • Implement additional transaction validation layers before broadcasting to network

🔍 How to Verify

Check if Vulnerable:

Check Hydra version: if version is <0.12.0, system is vulnerable.

Check Version:

hydra-node --version

Verify Fix Applied:

Confirm Hydra version is 0.12.0 or higher and monitor for successful Hydra head operations without unauthorized ViaAbort transactions.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized ViaAbort redeemer usage in commit validator
  • Failed Hydra head initializations
  • Unexpected fund transfers from commit addresses

Network Indicators:

  • Unusual transaction patterns targeting Hydra commit addresses
  • Multiple ViaAbort transactions from non-participant addresses

SIEM Query:

transaction_type:"ViaAbort" AND validator:"commit" AND NOT address IN [participant_addresses]

📊 Metadata

CVE ID: CVE-2023-38701
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-20
Published: October 4, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38701, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)