CVE-2021-45698: 
Rust vulnerability analysis and mitigation

An issue was discovered in the ckb crate before 0.40.0 for Rust. A getblocktemplate RPC call may fail in situations where it is supposed to select a Nervos CKB blockchain transaction with a higher fee rate than another transaction (RustSec Advisory, NVD). The vulnerability was reported on July 25, 2021, and affects the Nervos CKB blockchain node software.

The vulnerability occurs when a cell has been used as both a cell dep and an input in different transactions. For example, if cell C is used as a dep group in transaction A and is destroyed in transaction B, and both transactions are added to the transaction pool (with A being added first), the issue manifests when generating the block template. If transaction B has a higher fee rate, it will be processed before transaction A, which invalidates transaction A. Instead of dropping transaction A, the getblocktemplate RPC call fails entirely (RustSec Advisory). The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability affects the block template generation process in the Nervos CKB blockchain. When triggered, it causes the getblocktemplate RPC call to fail, potentially disrupting the normal operation of miners and block generation on the network (RustSec Advisory).

The vulnerability was patched in version 0.40.0 of the ckb crate. As a workaround, users can either submit transaction B after transaction A is already on chain, or make B explicitly depend on A by adding any output cell on A as a dep cell or input in B. Alternatively, transactions A and B can be merged, as CKB allows using the same cell as both dep and input in the same transaction. Users can also ensure the fee rate of B is less than A so A always has higher priority (RustSec Advisory).