Skip to content

Latest commit

 

History

History
29 lines (18 loc) · 1.5 KB

CWA-2022-002.md

File metadata and controls

29 lines (18 loc) · 1.5 KB

CWA-2022-002: Non-normalized bech32 casing in Addr type

Affected versions: wasmvm 0.14.x, 0.15.x, 0.16.x and 1.x
Patch expected: 2022-04-06 11:00 Berlin time
Patched versions: wasmvm 0.16.7 and 1.0.0-beta10 (cosmwasm-vm 0.16.7 and 1.0.0-beta8)

Patch announcement

A bug in the CosmWasm stack has been discovered. This bug can potentially lock funds and can potentially be used to bypass checks.

Both 0.16 and 1.0 are equally affected. Both versions will receive a patch. Some older versions are probably affected as well but will not receive an update.

The patch is consensus breaking.

The release is scheduled for Wednesday, April 6th 2022 at 11am Berlin time. An update is recommended for all chains using CosmWasm.

Patch

0.16: https://github.com/CosmWasm/cosmwasm/compare/3a59e2bcd5...v0.16.7

1.0: https://github.com/CosmWasm/cosmwasm/compare/ad54fd1000a...v1.0.0-beta8

History

  • 2022-04-04: Patch release announced
  • 2022-04-06 11h Berlin time: Patch of cosmwasm-vm released (0.16.7 and 1.0.0-beta8)
  • 2022-04-06 14h Berlin time: Patch of wasmvm released (0.16.7 and 1.0.0-beta10; delayed by 3 hours due to CircleCI outage)
  • 2022-04-06 14:30 Berlin time: Halborn released high level description of the finding
  • 2022-04-06 15:15 Berlin time: wasmd 0.25.0 released, including an upgrade to wasmvm 1.0.0-beta10 (See CHANGELOG)