Skip to content

CWA-2024-004: Gas mispricing in cosmwasm-vm

Moderate
chipshort published GHSA-rg2q-2jh9-447q Aug 8, 2024

Package

gomod github.com/CosmWasm/wasmvm (Go)

Affected versions

< 1.5.4

Patched versions

1.5.4
gomod github.com/CosmWasm/wasmvm/v2 (Go)
>= 2.1.0, < 2.1.2
>= 2.0.0, < 2.0.3
2.1.2
2.0.3

Description

Component: wasmvm
Criticality: Medium (ACMv1: I:Moderate; L:Likely)
Patched versions: wasmvm 1.5.4, 2.0.3, 2.1.2

Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the gas target we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain.

See CWA-2024-004 for more details.

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs

Credits