SCA: security update for code.vegaprotocol.io/vega (GHSA-8rc9-vxjh-qjf2)

medium Tenable Cloud Security Plugin ID 412833

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a
blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the
Vega network into re-processing past Ethereum events from Vega’s Ethereum bridge. For example, a deposit
to the collateral bridge for 100USDT that credits a party’s general account on Vega, can be re-processed
50 times resulting in 5000USDT in that party’s general account. This is without depositing any more than
the original 100USDT on the bridge. Despite this exploit requiring access to a validator's Vega key, a
validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto
the network. A patch is available in version 0.71.6. No known workarounds are available, however there are
mitigations in place should this vulnerability be exploited. There are monitoring alerts for `mainnet1` in
place to identify any issues of this nature including this vulnerability being exploited. The validators
have the ability to stop the bridge thus stopping any withdrawals should this vulnerability be exploited.
(CVE-2023-35163)

See Also

https://github.com/advisories/GHSA-8rc9-vxjh-qjf2

Plugin Details

Severity: Medium

ID: 412833

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.91

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:P

CVSS Score Source: CVE-2023-35163

CVSS v3

Risk Factor: Medium

Base Score: 5.2

Temporal Score: 4.7

Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/20/2023

Vulnerability Publication Date: 6/20/2023

Reference Information

CVE: CVE-2023-35163

cwe: CWE-20