Medium severity vulnerability sucessfully patched in Grin v3.0.0 - Public disclosure of CVE-2020-6638

As part of last week’s network-wide upgrade to 3.0.0 a consensus breaking patch was rolled out that fixes a security vulnerability of medium severity where malleable blocks can be produced to force a chain split.

There has been no indication of the vulnerability ever having been exploited. Attacks to target users following a successful chain split would have been exceptionally difficult to pull off in practice. After the release of 3.0.0, users are not vulnerable, and no further action is required.

This has been assigned CVE-2020-6638, and the details of the issue and the corresponding fix has just been published to our /grin-security github repo:


@lehnberg thank you for the update.
So for my understanding there is no need to deploy this patch to the branch?

I am asking because all my public high available nodes are running on this branch?

That branch (like all version 3 branches) includes the patch, as can be seen at


Thank you @tromp for clarifying. :+1:
I just got a bit confused about the commit message on the 3x branches.

Just to follow up on this. A link to the initial question on gitter chat was included in the vulnerability writeup but credit/attribution for this was not particularly clear.

Thanks @devrandom for asking what at first glance appeared to be a simple question on an implementation detail.

This was then followed up with a more specific point related to the original question. This turned out to very concisely describe the underlying problem behind the vulnerability.