Skip to content

Latest commit

 

History

History
61 lines (40 loc) · 2.46 KB

CWA-2025-003.md

File metadata and controls

61 lines (40 loc) · 2.46 KB

CWA-2025-003: Smart contract can cause consensus failures for some nodes

Severity

Low (Marginal + Likely)1

Affected versions:

  • wasmvm 2.2.2
  • wasmvm 2.1.5
  • wasmvm 2.0.6 (unsupported)
  • wasmvm 1.5.8

Patched versions:

  • wasmvm 1.5.9, 2.1.6, 2.2.3

Description of the bug

When running into it, the vulnerability will cause nodes running with the --trace flag to run into consensus failure. Running into this issue does not require a malicious contract and can happen by accident with non-malicious contracts. It can happen on both permissioned and permissionless chains.

Mitigations

Do not run nodes (especially validator nodes) with the --trace flag (or run all of them with the flag enabled). Alternatively, upgrade to a patched version once it is released.

Applying the patch

The patch will be shipped in releases of wasmvm. You can update more or less as follows:

  1. Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
  2. Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to one of the patched version depending on which minor version you are on; go mod tidy; commit.
  3. If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
  4. Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.9, 2.1.6 or 2.2.3.
  5. Follow your regular practices to deploy chain upgrades.

The patch is consensus breaking and requires a coordinated upgrade.

Acknowledgement

pinosu from Confio first found this on Neutron and reported it to the Neutron team. After some investigation, Sergey Golyshkin from the Neutron team figured out that this is caused by CosmWasm and reported this back to Confio. The same issue was later reported by a member of the Injective community. Thank you!

If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Timeline

  • 2025-02-17: Confio finds the issue and reports it to the Neutron team.
  • 2025-02-19: Neutron does some testing and points out the problematic part of the CosmWasm code.
  • 2025-03-03: Confio developed the patch internally.
  • 2025-03-05: Patch gets released.

Footnotes

  1. following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md