RUSTSEC-2021-0107: 
Rust vulnerability analysis and mitigation

RUSTSEC-2021-0107 (CVE-2021-45698) is a high-severity vulnerability discovered in the CKB blockchain node software that affects versions prior to 0.39.2. The vulnerability was disclosed on July 26, 2021, and involves a failure in the RPC getblocktemplate functionality when a cell is used both as a cell dependency and as an input in different transactions (GitHub Advisory).

The vulnerability occurs when a cell C is used as a dep group in transaction A and is destroyed in transaction B. If both transactions are valid and added to the transaction pool, with transaction A being added first, the block template generation fails when transaction B has a higher fee rate and is processed before A. Instead of properly handling the conflict by dropping transaction A, the RPC getblocktemplate fails entirely (GitHub Advisory).

When exploited, this vulnerability causes the RPC getblocktemplate to fail, potentially disrupting block creation and mining operations. This could affect the normal operation of the blockchain network by preventing miners from generating new blocks when specific transaction patterns occur (GitHub Advisory).

Several workarounds are available: 1) Submit transaction B only after transaction A is on chain, 2) Add any output cell from A as a dep cell or input in B, 3) Merge transactions A and B since CKB allows using the same cell as both dep and input in the same transaction, or 4) Ensure transaction B's fee rate is less than A's to maintain proper transaction priority. The vulnerability has been patched in version 0.39.2 (GitHub Advisory).