Headline
GHSA-rg2q-2jh9-447q: Gas mispricing in cosmwasm-vm
Component: wasmvm Criticality: Medium (ACMv1: I:Moderate; L:Likely) Patched versions: wasmvm 1.5.4, 2.0.3, 2.1.2
Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the gas target we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain.
See CWA-2024-004 for more details.
Package
cargo cosmwasm-vm (Rust)
Affected versions
< 1.5.6
>= 2.0.0, < 2.0.5
>= 2.1.0, < 2.1.2
Patched versions
1.5.6
2.0.5
2.1.2
gomod github.com/CosmWasm/wasmvm (Go)
< 1.5.4
1.5.4
gomod github.com/CosmWasm/wasmvm/v2 (Go)
>= 2.1.0, < 2.1.2
>= 2.0.0, < 2.0.3
2.1.2
2.0.3
Description
Component: wasmvm
Criticality: Medium (ACMv1: I:Moderate; L:Likely)
Patched versions: wasmvm 1.5.4, 2.0.3, 2.1.2
Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the gas target we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain.
See CWA-2024-004 for more details.
References
- GHSA-rg2q-2jh9-447q
- CosmWasm/cosmwasm@5bef1c5
- CosmWasm/cosmwasm@9b4d6d0
- CosmWasm/cosmwasm@c1313af
- https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-004.md
- https://rustsec.org/advisories/RUSTSEC-2024-0361.html
chipshort published to CosmWasm/wasmvm
Aug 8, 2024
Published to the GitHub Advisory Database
Aug 8, 2024
Reviewed
Aug 8, 2024
Last updated
Aug 8, 2024