Vulnerability-Lookup

CVE-2023-35163 (GCVE-0-2023-35163)

Vulnerability from cvelistv5 – Published: 2023-06-23 20:25 – Updated: 2024-11-07 20:17

Title

Vega's validators able to submit duplicate transactions

Summary

Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega’s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party’s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party’s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator's Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network. A patch is available in version 0.71.6. No known workarounds are available, however there are mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in place to identify any issues of this nature including this vulnerability being exploited. The validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited.

Severity

6 (Medium)


                        
                          CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/vegaprotocol/vega/security/adv…	x_refsource_CONFIRM
https://github.com/vegaprotocol/vega/commit/56b09…	x_refsource_MISC
https://github.com/vegaprotocol/vega/releases/tag…	x_refsource_MISC

Impacted products

2 products

Vendor	Product	Version
vegaprotocol	vega	Affected: < 0.71.6
vega-functions_project	vega-functions	Affected: 0 , < 0.71.6 (custom) cpe:2.3:a:vega-functions_project:vega-functions::::::node.js::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:23:59.575Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2"
          },
          {
            "name": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68"
          },
          {
            "name": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:vega-functions_project:vega-functions:*:*:*:*:*:node.js:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "vega-functions",
            "vendor": "vega-functions_project",
            "versions": [
              {
                "lessThan": "0.71.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-35163",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-07T20:08:59.938438Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-07T20:17:24.917Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vega",
          "vendor": "vegaprotocol",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.71.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega\u2019s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party\u2019s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party\u2019s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator\u0027s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.\n\nA patch is available in version 0.71.6. No known workarounds are available, however there are mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in place to identify any issues of this nature including this vulnerability being exploited. The validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-23T20:25:16.836Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2"
        },
        {
          "name": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68"
        },
        {
          "name": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6"
        }
      ],
      "source": {
        "advisory": "GHSA-8rc9-vxjh-qjf2",
        "discovery": "UNKNOWN"
      },
      "title": "Vega\u0027s validators able to submit duplicate transactions "
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-35163",
    "datePublished": "2023-06-23T20:25:16.836Z",
    "dateReserved": "2023-06-14T14:17:52.179Z",
    "dateUpdated": "2024-11-07T20:17:24.917Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-35163",
      "date": "2026-06-07",
      "epss": "0.00072",
      "percentile": "0.2209"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-35163\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-06-23T21:15:09.473\",\"lastModified\":\"2024-11-21T08:08:04.280\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega\u2019s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party\u2019s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party\u2019s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator\u0027s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.\\n\\nA patch is available in version 0.71.6. No known workarounds are available, however there are mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in place to identify any issues of this nature including this vulnerability being exploited. The validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.2,\"impactScore\":5.3},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L\",\"baseScore\":5.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gobalsky:vega:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.71.6\",\"matchCriteriaId\":\"D319C59F-98E1-4772-9AF9-E5F381967AAA\"}]}]}],\"references\":[{\"url\":\"https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vegaprotocol/vega/releases/tag/v0.71.6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vegaprotocol/vega/releases/tag/v0.71.6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2\", \"name\": \"https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68\", \"name\": \"https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/vegaprotocol/vega/releases/tag/v0.71.6\", \"name\": \"https://github.com/vegaprotocol/vega/releases/tag/v0.71.6\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:23:59.575Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-35163\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-07T20:08:59.938438Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:vega-functions_project:vega-functions:*:*:*:*:*:node.js:*:*\"], \"vendor\": \"vega-functions_project\", \"product\": \"vega-functions\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.71.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-07T20:17:19.335Z\"}}], \"cna\": {\"title\": \"Vega\u0027s validators able to submit duplicate transactions \", \"source\": {\"advisory\": \"GHSA-8rc9-vxjh-qjf2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6, \"attackVector\": \"PHYSICAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"vegaprotocol\", \"product\": \"vega\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.71.6\"}]}], \"references\": [{\"url\": \"https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2\", \"name\": \"https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68\", \"name\": \"https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vegaprotocol/vega/releases/tag/v0.71.6\", \"name\": \"https://github.com/vegaprotocol/vega/releases/tag/v0.71.6\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega\\u2019s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party\\u2019s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party\\u2019s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator\u0027s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.\\n\\nA patch is available in version 0.71.6. No known workarounds are available, however there are mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in place to identify any issues of this nature including this vulnerability being exploited. The validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-06-23T20:25:16.836Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-35163\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-07T20:17:24.917Z\", \"dateReserved\": \"2023-06-14T14:17:52.179Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-06-23T20:25:16.836Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-35163

Vulnerability from fkie_nvd - Published: 2023-06-23 21:15 - Updated: 2024-11-21 08:08

Severity

6.0 (Medium) - CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L
5.2 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68	Patch
security-advisories@github.com	https://github.com/vegaprotocol/vega/releases/tag/v0.71.6	Release Notes
security-advisories@github.com	https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vegaprotocol/vega/releases/tag/v0.71.6	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	gobalsky	vega	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gobalsky:vega:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D319C59F-98E1-4772-9AF9-E5F381967AAA",
              "versionEndExcluding": "0.71.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega\u2019s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party\u2019s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party\u2019s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator\u0027s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.\n\nA patch is available in version 0.71.6. No known workarounds are available, however there are mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in place to identify any issues of this nature including this vulnerability being exploited. The validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited."
    }
  ],
  "id": "CVE-2023-35163",
  "lastModified": "2024-11-21T08:08:04.280",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "LOW",
          "baseScore": 6.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.2,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "LOW",
          "baseScore": 5.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 4.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-06-23T21:15:09.473",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-8RC9-VXJH-QJF2

Vulnerability from github – Published: 2023-06-20 16:36 – Updated: 2023-06-26 16:32

Summary

Vega's validators able to submit duplicate transactions

Details

A vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega’s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party’s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party’s general account. This is without depositing any more than the original 100USDT on the bridge.

Despite this exploit requiring access to a validator's Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.

The steps to carry out this exploit are as follows: 1. Cause an Ethereum event on one of the bridge contracts e.g a deposit to the collateral bridge, or the staking bridge 2. This will result in the Ethereum-event-forwarder of each node to submit a ChainEvent transaction to the Vega network corresponding to that event 3. Scrape the valid chain event transaction from the Tendermint block data using a node’s Tendermint API 4. Change the value of the txId field of the ChainEvent to any valid, but different, value 5. Bundle the tweaked ChainEvent into a new transaction, sign it with a validator key and resubmit to the Vega network 6. The fraudulent ChainEvent will be processed by Vega as if it were a new ChainEvent even though it did not occur on Ethereum

The key to this exploit is in step 4. The txId field of the ChainEvent is used when checking for ChainEvent resubmission, but NOT during the subsequent on-chain verification of the event. Therefore changing the txId of an existing ChainEvent is enough to by-pass the duplication check and for it to still be verified as a real event.

Impact

The impact of this exploit is dependent on the ChainEvent being manipulated. The below table describes each one:

Chain Event	Allows	Consequence
Deposit	Generation of unlimited funds of any asset	Withdrawal of all assets
Stake Deposit	Delegate unlimited Vega to a single node	A single node has controlling amount of voting power
Stake Removed	Force a Validator node to drop below self-stake requirements	Prevents reward payouts
Bridge Stop	The Vega network to think the bridge is stopped	Prevent anyone from withdrawing funds
Signer Removed	The Vega network to think a validator nodes is not on the multisig contract	Prevent reward payouts

Patches

v0.71.6

Workarounds

No work around known, however there are mitigations in place should this vulnerability be exploited:

there are monitoring alerts, for mainnet1, in place to identify any issues of this nature including this vulnerability being exploited
the validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited

References

N/A

Severity

6.0 (Medium)


                  
                    CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vegaprotocol.io/vega"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.71.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-35163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-20T16:36:18Z",
    "nvd_published_at": "2023-06-23T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega\u2019s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party\u2019s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party\u2019s general account. This is without depositing any more than the original 100USDT on the bridge.\n\nDespite this exploit requiring access to a validator\u0027s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.\n\nThe steps to carry out this exploit are as follows:\n1. Cause an Ethereum event on one of the bridge contracts e.g a deposit to the collateral bridge, or the staking bridge\n2. This will result in the Ethereum-event-forwarder of each node to submit a ChainEvent transaction to the Vega network corresponding to that event\n3. Scrape the valid chain event transaction from the Tendermint block data using a node\u2019s Tendermint API\n4. Change the value of the `txId` field of the ChainEvent to any valid, but different, value\n5. Bundle the tweaked ChainEvent into a new transaction, sign it with a validator key and resubmit to the Vega network\n6. The fraudulent ChainEvent will be processed by Vega as if it were a new ChainEvent even though it did not occur on Ethereum\n\nThe key to this exploit is in step 4. The `txId` field of the ChainEvent is used when checking for ChainEvent resubmission, but NOT during the subsequent on-chain verification of the event. Therefore changing the `txId` of an existing ChainEvent is enough to by-pass the duplication check and for it to still be verified as a real event.\n\n### Impact\nThe impact of this exploit is dependent on the ChainEvent being manipulated. The below table describes each one:\n\n| Chain Event  | Allows | Consequence |\n| ------------- | ------------- | ------------- |\n| Deposit | Generation of unlimited funds of any asset  | Withdrawal of all assets |\n| Stake Deposit  | Delegate unlimited Vega to a single node  | A single node has controlling amount of voting power  |\n| Stake Removed  | Force a Validator node to drop below self-stake requirements  | Prevents reward payouts  |\n| Bridge Stop  | The Vega network to think the bridge is stopped  | Prevent anyone from withdrawing funds  |\n| Signer Removed  | The Vega network to think a validator nodes is not on the multisig contract  | Prevent reward payouts  |\n\n### Patches\nv0.71.6\n\n### Workarounds\nNo work around known, however there are mitigations in place should this vulnerability be exploited:\n\n- there are monitoring alerts, for `mainnet1`, in place to identify any issues of this nature including this vulnerability being exploited\n- the validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited\n\n### References\nN/A\n",
  "id": "GHSA-8rc9-vxjh-qjf2",
  "modified": "2023-06-26T16:32:12Z",
  "published": "2023-06-20T16:36:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35163"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vegaprotocol/vega"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vega\u0027s validators able to submit duplicate transactions "
}

GSD-2023-35163

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-35163

Aliases

CVE-2023-35163

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-35163",
    "id": "GSD-2023-35163"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-35163"
      ],
      "details": "Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega\u2019s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party\u2019s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party\u2019s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator\u0027s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.\n\nA patch is available in version 0.71.6. No known workarounds are available, however there are mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in place to identify any issues of this nature including this vulnerability being exploited. The validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited.",
      "id": "GSD-2023-35163",
      "modified": "2023-12-13T01:20:46.069306Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-35163",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vega",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.71.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vegaprotocol"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega\u2019s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party\u2019s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party\u2019s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator\u0027s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.\n\nA patch is available in version 0.71.6. No known workarounds are available, however there are mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in place to identify any issues of this nature including this vulnerability being exploited. The validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-20",
                "lang": "eng",
                "value": "CWE-20: Improper Input Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2",
            "refsource": "MISC",
            "url": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2"
          },
          {
            "name": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68",
            "refsource": "MISC",
            "url": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68"
          },
          {
            "name": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6",
            "refsource": "MISC",
            "url": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-8rc9-vxjh-qjf2",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.71.6",
          "affected_versions": "All versions before 0.71.6",
          "cvss_v3": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2023-06-27",
          "description": "Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega\u2019s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party\u2019s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party\u2019s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator\u0027s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.\n\nA patch is available in version 0.71.6. No known workarounds are available, however there are mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in place to identify any issues of this nature including this vulnerability being exploited. The validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited.",
          "fixed_versions": [
            "0.71.6"
          ],
          "identifier": "CVE-2023-35163",
          "identifiers": [
            "GHSA-8rc9-vxjh-qjf2",
            "CVE-2023-35163"
          ],
          "not_impacted": "All versions starting from 0.71.6",
          "package_slug": "go/code.vegaprotocol.io/vega",
          "pubdate": "2023-06-20",
          "solution": "Upgrade to version 0.71.6 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2",
            "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68",
            "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-35163",
            "https://github.com/advisories/GHSA-8rc9-vxjh-qjf2"
          ],
          "uuid": "a5a3724c-3430-46ab-a91e-ae057d03a19e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:gobalsky:vega:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.71.6",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-35163"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega\u2019s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party\u2019s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party\u2019s general account. This is without depositing any more than the original 100USDT on the bridge. Despite this exploit requiring access to a validator\u0027s Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.\n\nA patch is available in version 0.71.6. No known workarounds are available, however there are mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in place to identify any issues of this nature including this vulnerability being exploited. The validators have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://github.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2"
            },
            {
              "name": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68"
            },
            {
              "name": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/vegaprotocol/vega/releases/tag/v0.71.6"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 0.9,
          "impactScore": 4.2
        }
      },
      "lastModifiedDate": "2023-08-17T14:29Z",
      "publishedDate": "2023-06-23T21:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-35163 (GCVE-0-2023-35163)

FKIE_CVE-2023-35163

GHSA-8RC9-VXJH-QJF2

Impact

Patches

Workarounds

References

GSD-2023-35163

Tags

Sightings

Nomenclature