Severity: MEDIUM
Summary
cargo audit (2026-03-29) found 2 real vulnerabilities in transitive Solana SDK dependencies.
Findings
1. RUSTSEC-2022-0093 — ed25519-dalek 1.0.1: Double Public Key Signing Oracle Attack
- CVSS: HIGH (timing attack enables private key recovery under specific conditions)
- URL: https://rustsec.org/advisories/RUSTSEC-2022-0093
- Solution: Upgrade to >=2.0
- Path: ed25519-dalek 1.0.1 → solana-signature 2.3.0 → solana-sdk 2.2.1 → percolator-stake 0.2.0
- Impact: Transitive via solana-sdk. Percolator-stake does not directly invoke ed25519 batch signing; real-world exploitability is low. Track for solana-sdk update.
2. RUSTSEC-2024-0344 — curve25519-dalek 3.2.1: Timing variability in Scalar sub()
Root Cause
Both CVEs are in Solana SDK's dependency tree. Cannot fix without Solana SDK upgrade.
Remediation
- Short term: Accept risk — monitor solana-sdk releases for ed25519-dalek >=2 / curve25519-dalek >=4.1.3
- Check: Whether solana-sdk 2.3.x resolves these. If so, schedule upgrade.
- All 'unmaintained' warnings (atty, bincode, derivative, paste) are accepted transitive risk.
Filed by security agent 2026-03-29.
Severity: MEDIUM
Summary
cargo audit(2026-03-29) found 2 real vulnerabilities in transitive Solana SDK dependencies.Findings
1. RUSTSEC-2022-0093 — ed25519-dalek 1.0.1: Double Public Key Signing Oracle Attack
2. RUSTSEC-2024-0344 — curve25519-dalek 3.2.1: Timing variability in Scalar sub()
Root Cause
Both CVEs are in Solana SDK's dependency tree. Cannot fix without Solana SDK upgrade.
Remediation
Filed by security agent 2026-03-29.