Gas mispricing in cosmwasm-vm

GHSA-rg2q-2jh9-447q · RUSTSEC-2024-0361

Published Aug 8, 2024 · Modified Aug 8, 2024

Description

Component: wasmvm
Criticality: Medium (ACMv1: I:Moderate; L:Likely)
Patched versions: wasmvm 1.5.4, 2.0.3, 2.1.2

Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the gas target we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain.

See CWA-2024-004 for more details.

References

WEB https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-rg2q-2jh9-447q
WEB https://github.com/CosmWasm/cosmwasm/commit/5bef1c588933bd60a04bb70099150cf84b69e144
WEB https://github.com/CosmWasm/cosmwasm/commit/9b4d6d03772b75d500a7d3c972d0d8ba6d085c06
WEB https://github.com/CosmWasm/cosmwasm/commit/c1313afeb261e17b1c8cf6a1eacee1da0dac42ae
WEB https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-004.md
PACKAGE https://github.com/CosmWasm/wasmvm
WEB https://rustsec.org/advisories/RUSTSEC-2024-0361.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes