Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-rg2q-2jh9-447q: Gas mispricing in cosmwasm-vm

Component: wasmvm Criticality: Medium (ACMv1: I:Moderate; L:Likely) Patched versions: wasmvm 1.5.4, 2.0.3, 2.1.2

Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the gas target we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain.

See CWA-2024-004 for more details.

ghsa
#git

Package

cargo cosmwasm-vm (Rust)

Affected versions

< 1.5.6

>= 2.0.0, < 2.0.5

>= 2.1.0, < 2.1.2

Patched versions

1.5.6

2.0.5

2.1.2

gomod github.com/CosmWasm/wasmvm (Go)

< 1.5.4

1.5.4

gomod github.com/CosmWasm/wasmvm/v2 (Go)

>= 2.1.0, < 2.1.2

>= 2.0.0, < 2.0.3

2.1.2

2.0.3

Description

Component: wasmvm
Criticality: Medium (ACMv1: I:Moderate; L:Likely)
Patched versions: wasmvm 1.5.4, 2.0.3, 2.1.2

Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the gas target we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain.

See CWA-2024-004 for more details.

References

  • GHSA-rg2q-2jh9-447q
  • CosmWasm/cosmwasm@5bef1c5
  • CosmWasm/cosmwasm@9b4d6d0
  • CosmWasm/cosmwasm@c1313af
  • https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-004.md
  • https://rustsec.org/advisories/RUSTSEC-2024-0361.html

chipshort published to CosmWasm/wasmvm

Aug 8, 2024

Published to the GitHub Advisory Database

Aug 8, 2024

Reviewed

Aug 8, 2024

Last updated

Aug 8, 2024

ghsa: Latest News

GHSA-gmx7-gr5q-85w5: magic-crypt uses insecure cryptographic algorithms