wasmvm: Malicious smart contract can slow down block production
GHSA-mx2j-7cmv-353c · GO-2025-3449
Published · Modified
Description
CWA-2025-002
Severity
Medium (Moderate + Likely)[^1]
Affected versions:
- wasmvm >= 2.2.0, < 2.2.2
- wasmvm >= 2.1.0, < 2.1.5
- wasmvm >= 2.0.0, < 2.0.6
- wasmvm < 1.5.8
Patched versions:
- wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2
Description of the bug
The vulnerability can be used to slow down block production. The attack requires a malicious contract,
so permissioned chains are unlikely to be affected.
(We'll add more detail once chains had a chance to upgrade.)
Patch
- 1.5: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27
- 2.0: https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b
- 2.1: https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58
- 2.2: https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0
Applying the patch
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
- Check the current wasmvm version:
go list -m github.com/CosmWasm/wasmvm - Bump the
github.com/CosmWasm/wasmvmdependency in your go.mod to one of the patched version
depending on which minor version you are on;go mod tidy; commit. - If you use the static libraries
libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly. - Check the updated wasmvm version:
go list -m github.com/CosmWasm/wasmvmand ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2. - Follow your regular practices to deploy chain upgrades.
The patch is consensus breaking and requires a coordinated upgrade.
Acknowledgement
This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the
program by reporting a bug, please see https://hackerone.com/cosmos.
Timeline
- 2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
- 2024-12-20: Confio security contributors confirm the report.
- 2024-01-27: Confio developed the patch internally.
- 2025-02-04: Patch gets released.
[^1]: following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md
References
- WEB https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-mx2j-7cmv-353c
- WEB https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27
- WEB https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0
- WEB https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b
- WEB https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58
- WEB https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2025-002.md
- PACKAGE https://github.com/CosmWasm/wasmvm
- WEB https://pkg.go.dev/vuln/GO-2025-3449
Ready to move
Start Securing
Free, no credit card | First findings in minutes