GHSA-q73f-w3h7-7wcc: 
Rust vulnerability analysis and mitigation

A critical vulnerability (GHSA-q73f-w3h7-7wcc) was discovered in Nervos CKB versions <= 0.34.1, affecting transactions that call the syscall load_cell_data_hash. The vulnerability was published on August 14, 2020, and was patched in version 0.34.2. The issue specifically impacts the transaction pool's verification process, leading to nondeterministic results when processing transactions with inputs containing load_cell_data_hash (GitHub Advisory).

The vulnerability occurs in the transaction verification process where transactions calling the syscall load_cell_data_hash from input scripts produce nondeterministic results in the tx-pool. This affects the transaction pool's ability to properly verify transactions, potentially leading to inconsistent states. The issue was marked as Critical severity, indicating its significant impact on the system's security and reliability (GitHub Advisory).

The vulnerability causes nondeterministic behavior in the transaction pool when verifying transactions that contain load_cell_data_hash in their input scripts. This unpredictability could potentially affect the consistency and reliability of transaction processing in the Nervos CKB network (GitHub Advisory).

The vulnerability was patched in version 0.34.2 of Nervos CKB. As a workaround, the system enforces tx-pool ResolvedTransaction inputs' load data to be none. Users are advised to upgrade to version 0.34.2 or later to address this vulnerability (GitHub Advisory).