Affected versions: wasmvm 0.14.x, 0.15.x, 0.16.x and 1.x
Patch expected: 2022-04-06 11:00 Berlin time
Patched versions: wasmvm 0.16.7 and 1.0.0-beta10 (cosmwasm-vm 0.16.7 and 1.0.0-beta8)
A bug in the CosmWasm stack has been discovered. This bug can potentially lock funds and can potentially be used to bypass checks.
Both 0.16 and 1.0 are equally affected. Both versions will receive a patch. Some older versions are probably affected as well but will not receive an update.
The patch is consensus breaking.
The release is scheduled for Wednesday, April 6th 2022 at 11am Berlin time. An update is recommended for all chains using CosmWasm.
0.16: https://github.com/CosmWasm/cosmwasm/compare/3a59e2bcd5...v0.16.7
1.0: https://github.com/CosmWasm/cosmwasm/compare/ad54fd1000a...v1.0.0-beta8
- 2022-04-04: Patch release announced
- 2022-04-06 11h Berlin time: Patch of cosmwasm-vm released (0.16.7 and 1.0.0-beta8)
- 2022-04-06 14h Berlin time: Patch of wasmvm released (0.16.7 and 1.0.0-beta10; delayed by 3 hours due to CircleCI outage)
- 2022-04-06 14:30 Berlin time: Halborn released high level description of the finding
- 2022-04-06 15:15 Berlin time: wasmd 0.25.0 released, including an upgrade to wasmvm 1.0.0-beta10 (See CHANGELOG)