Core-SV-072 |
Slow query stopped nodes when requesting blocks from specific generators |
Closed |
v2.7.13 |
Core-SV-071 |
Reviver function in the transport codec could cause denial of service |
Closed |
v2.7.13 |
Core-SV-070 |
Incoming connections were not banned when failing basic validation checks |
Closed |
v2.7.13 |
Core-SV-069 |
Exceeding individual but not global rate limit evaded ban |
Closed |
v2.7.13 |
Core-SV-068 |
Automatic peer reconnection did not reattach socket event listeners |
Closed |
v2.7.13 |
Core-SV-067 |
Schema violation requesting common blocks did not close the connection |
Closed |
v2.7.13 |
Core-SV-066 |
Blocks were accepted but not propagated if received out of slot |
Closed |
v2.7.13 |
Core-SV-065 |
Requesting blocks at a very high height locked up PostgreSQL |
Closed |
v2.7.6 |
Core-SV-064 |
Binary data payloads could stop forging |
Closed |
v2.7.6 |
Core-SV-063 |
Large payloads sent to internal endpoints prevented forging |
Closed |
v2.7.6 |
Core-SV-062 |
Outgoing connections were not destroyed after receiving unsupported WebSocket frames |
Closed |
v2.7.1 |
Core-SV-061 |
Peer lists could exceed the maximum permitted payload size |
Closed |
v2.7.0 |
Core-SV-060 |
Outgoing sockets were not properly rate limited |
Closed |
v2.7.0 |
Core-SV-059 |
Newly connected peers did not have an initial maximum payload limit |
Closed |
v2.6.57 |
Core-SV-058 |
Insufficient transaction asset validation |
Closed |
v2.6.57 |
Core-SV-057 |
HTTP header manipulation caused out of memory crashes |
Closed |
v2.6.54 |
Core-SV-056 |
Prepending zeros in the hex representation of a signature would change its ID |
Closed |
v2.6.52 |
Core-SV-055 |
Negative values were erroneously accepted in ECDSA signatures |
Closed |
v2.6.49 |
Core-SV-054 |
DER signature manipulation could fork the network, roll back and replay transactions |
Closed |
v2.6.49 |
Core-SV-053 |
Pool poisoning could stop delegates forging any transactions |
Closed |
v2.6.49 |
Core-SV-052 |
Port ping payload sizes were unchecked and could cause bandwidth flood attacks |
Closed |
v2.6.49 |
Core-SV-051 |
Slow PostgreSQL query attack could have caused delegates to miss blocks |
Closed |
v2.6.49 |
Core-SV-050 |
Consecutive big blocks could exceed the maximum payload limit |
Closed |
v2.6.49 |
Core-SV-049 |
ECDSA-signed block and transaction signatures were malleable |
Closed |
v2.6.39 |
Core-SV-048 |
Delayed completion of peer verification stopped nodes forging |
Closed |
v2.6.39 |
Core-SV-047 |
Block ID-based exceptions were vulnerable to preimage attacks and blockchain poisoning |
Closed |
v2.6.39 |
Core-SV-046 |
Block schema violations could halt the blockchain |
Closed |
v2.6.39 |
Core-SV-045 |
Induced slow block propagation forked the network |
Closed |
v2.6.38 |
Core-SV-044 |
Marshalled block payloads using the peer-to-peer transport codec were not sanitized |
Closed |
v2.6.37 |
Core-SV-043 |
Tree memory structure exceeded maximum call stack size when fetching unconfirmed transactions to forge |
Closed |
v2.6.36 |
Core-SV-042 |
Nonce comparison took too long to complete when fetching unconfirmed transactions to forge |
Closed |
v2.6.34 |
Core-SV-041 |
Overloading the public API could stop the transaction and block processing on a node |
Closed |
v2.6.30 |
Core-SV-040 |
Long-lived HTTP requests via the P2P layer could crash the node |
Closed |
v2.6.27 |
Core-SV-039 |
Pool wallet manager could lock up funds by not updating multipayment balances |
Closed |
v2.6.21 |
Core-SV-038 |
Plain HTTP connections to the p2p port could crash the node's operating system |
Closed |
v2.6.11 |
Core-SV-037 |
A malicious block containing thousands of transactions could take down a node |
Closed |
v2.5.36 |
Core-SV-036 |
Opening thousands of sockets caused high CPU/memory usage and full server crashes |
Closed |
v2.5.36 |
Core-SV-035 |
Broadcasting invalid WebSocket opcodes caused significant network degradation and missed blocks |
Closed |
v2.5.36 |
Core-SV-034 |
Unhandled unemitted events could trigger high CPU spikes and propagation delays |
Closed |
v2.5.36 |
Core-SV-033 |
JSON payloads with too many key-value pairs were too CPU intensive to parse |
Closed |
v2.5.36 |
Core-SV-032 |
Multiple disconnect JSON packets caused high CPU utilization |
Closed |
v2.5.31 |
Core-SV-031 |
Sending HyBi WebSocket headers with no data could stop nodes forging |
Closed |
v2.5.30 |
Core-SV-030 |
Ping control frame bombardment could prevent block propagation |
Closed |
v2.5.28 |
Core-SV-029 |
Externally hitting internal P2P endpoints could stop a node handling requests |
Closed |
v2.5.25 |
Core-SV-028 |
Rate limiting was ineffective due to inappropriate disconnection methods |
Closed |
v2.5.24 |
Core-SV-027 |
Malformed messages on the P2P layer could hang up a node and stop delegates forging |
Closed |
v2.5.24 |
Core-SV-026 |
P2P endpoint request events were not sanitised |
Closed |
v2.5.19 |
Core-SV-025 |
Core plugin names were not length restricted so could cause DoS in peer lists |
Closed |
v2.5.19 |
Core-SV-024 |
Peer lists could become too large and be manipulated to become a DDoS network |
Closed |
v2.5.14 |
Core-SV-023 |
Peer-to-peer postTransactions endpoint could be spammed to overwhelm nodes |
Closed |
v2.5.14 |
Core-SV-022 |
Delegates can be forced to forge empty blocks and genuine transactions can be evicted from the pool |
Closed |
v2.4.14 |
Core-SV-021 |
Unverified transactions in bad blocks can purge genuine transactions from the pool |
Closed |
v2.4.13 |
Core-SV-020 |
Race condition can result in blocks containing already forged transactions |
Closed |
v2.4 |
Core-SV-019 |
Block header manipulation in quorum calculations prevents nodes forging |
Closed |
v2.4 |
Core-SV-018 |
Second Signature Transaction Pool Validation |
Closed |
v2.4 |
Core-SV-017 |
Second Signature Transaction Broadcast/Sign/Order |
Closed |
v2.3 |
Core-SV-016 |
Receiving a block containing non-valid transactions causes peers to rollback |
Closed |
v2.3 |
Core-SV-015 |
Delayed block propagation causes the next delegate to miss its block |
Closed |
v2.3 |
Core-SV-014 |
API endpoint open to possible DDOS attack |
Closed |
v2.2.2 |
Core-SV-013 |
Transactions near the payload size limit can stop delegates forging |
Closed |
v2.1.2 |
Core-SV-012 |
Conflicting delegate registration transactions |
Closed |
v2.1.0 |
Core-SV-011 |
Malicious delegate zero(0) - ARK transaction spam |
Closed |
v2.0.18 |
Core-SV-010 |
Malicious delegate can cause peers to fork and roll back simultaneously |
Closed |
v2.0.19 |
Core-SV-009 |
Fake peers can be added by using non-quad-dotted notation |
Closed |
v2.0.19 |
Core-SV-008 |
Forged blocks by anyone can cause the chain to stop/or start recovering |
Closed |
v2.0.17 |
Core-SV-007 |
Forging multiple blocks in a slot and rewards hijacking |
Closed |
v2.0.17 |
Core-SV-006 |
Transaction replay attack with known 2nd signature passphrase / multisignature |
Closed |
v2.6.0 |
Core-SV-005 |
Double forging a block |
Open |
|
Core-SV-004 |
IP spoofing |
Closed |
v2.0.16 |
Core-SV-003 |
Second signature transaction replay |
Closed |
v2.0.16 |
Core-SV-002 |
Generating new Ark using multi signature transaction |
Closed |
v2.0.16 |
Core-SV-001 |
Invalid block received |
Closed |
v2.0.16 |