├── .editorconfig ├── .github └── workflows │ └── autofix.yml ├── .gitignore ├── CWAs ├── CWA-2021-001.md ├── CWA-2021-002.md ├── CWA-2021-003.md ├── CWA-2022-001.md ├── CWA-2022-002.md ├── CWA-2022-003.md ├── CWA-2022-004.md ├── CWA-2022-005.md ├── CWA-2023-001.md ├── CWA-2023-002.md ├── CWA-2023-003.md ├── CWA-2023-004.md ├── CWA-2024-001.md ├── CWA-2024-002.md ├── CWA-2024-003.md ├── CWA-2024-004.md ├── CWA-2024-005.md ├── CWA-2024-006.md ├── CWA-2024-007.md ├── CWA-2024-008.md ├── CWA-2024-009.md ├── CWA-2025-001.md ├── CWA-2025-002.md ├── CWA-2025-003.md ├── CWA-2025-004.md ├── CWA-2025-005.md ├── CWA-2025-006.md └── README.md ├── NOTIFICATION_LIST.md ├── README.md ├── SECURITY.md └── tools └── format_md.sh /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig is awesome: https://EditorConfig.org 2 | 3 | # top-most EditorConfig file 4 | root = true 5 | 6 | [*] 7 | end_of_line = lf 8 | charset = utf-8 9 | trim_trailing_whitespace = true 10 | insert_final_newline = true 11 | -------------------------------------------------------------------------------- /.github/workflows/autofix.yml: -------------------------------------------------------------------------------- 1 | name: autofix.ci # needed to securely identify the workflow 2 | 3 | on: 4 | pull_request: 5 | 6 | permissions: 7 | contents: read 8 | 9 | jobs: 10 | autofix-text: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v4 14 | 15 | - name: Install npx (for prettier) 16 | run: sudo apt install nodejs 17 | 18 | - name: Format Markdown 19 | run: ./tools/format_md.sh 20 | 21 | - uses: autofix-ci/action@v1 # See https://autofix.ci/ 22 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Editors 2 | .vscode/ 3 | .idea/ 4 | 5 | # OS 6 | .DS_Store 7 | -------------------------------------------------------------------------------- /CWAs/CWA-2021-001.md: -------------------------------------------------------------------------------- 1 | # CWA-2021-001: Logic error in none handling in copyAndDestroyUnmanagedVector 2 | 3 | ## Versions and patch 4 | 5 | **Affected versions:** wasmvm 0.14.x, 0.15.x, 0.16.x and 1.x
6 | **Patch release expected:** 2021-11-10 10:00 Berlin time
7 | **Patched versions:** wasmvm 0.16.2 and 1.0.0-beta2
8 | 9 | ## Description of the bug 10 | 11 | The C FFI type `UnmanagedVector` contains the fields `is_none`, `ptr` (pointer) `len` (length) and `cap` (capacity). The type is intended to send binary data between Rust and Go. On the Go side, binary data is a byte slice `[]byte` which is always nullable. I.e. the type can differentiate `nil` from an empty list of bytes. In order to preserve this nullability, the corresponding Rust type is `Option>`. Now the `UnmanagedVector` type was created to translate between the two. Since we were not aware that a Rust vector's `ptr` is guaranteed to be non-null or this guarantee did not exists at the time, a boolean `is_none` was created to store if the data is set or unset (`None`/`nil`). 12 | 13 | The type's `is_none` API requires _If this is true, the other fields must be ignored_, i.e. they can contain any garbage such as uninitialized data. The Go implementation of `copyAndDestroyUnmanagedVector` did not comply with this requirement and used `v.ptr == cu8_ptr(nil)` to decide if the value was `nil`. Now if `is_none` was true and `len > 0`, the implementation would unsafely read `len` bytes from `ptr`. Since both values could have arbitrary values, this would lead to crashes. 14 | 15 | Now the question for the crash case is: could this be triggered in real life? I.e. is there a code path where `is_none` is true but `ptr != 0`? All code paths we found set `is_none: true` and `ptr: 0` together. 16 | 17 | The other interesting question is: did the Go implementation convert valid data to `nil` in the `v.ptr == cu8_ptr(nil)` case? The answer is no because Rust guarantees vector `ptr`s to be non-null. So only corrupted data or `is_none: true` could have been converted to `nil`. 18 | 19 | At the end no code path was found to trigger the bug. However, given the type definition it is still a bug and even after careful inspection it is possible we missed something. 20 | 21 | The bug was found through a crash report that mentioned bad pointers at address 0x01. This dummy address is used by Rust as `ptr` value in `Vec::::with_capacity(0)`. Since we did not find a code path to trigger the bug described above, it is likely the crash report is unrelated or the symptom of a different data corruption. 22 | 23 | ## Patch 24 | 25 | 0.16: https://github.com/CosmWasm/wasmvm/commit/790cafa0e1625d0d232472de41c1341967e3ba2a 26 | 27 | 1.0: https://github.com/CosmWasm/wasmvm/commit/ceaebca68ca2ddbda8cff6bcf2b89316e90121b1 28 | 29 | ## History 30 | 31 | - 2021-10-27: Crash stacktrace reported by YunSuk-Yeo from Terra (https://github.com/CosmWasm/wasmvm/issues/265) 32 | - 2021-11-08: Patch release announced (https://twitter.com/simon_warta/status/1457841534112518146, https://gist.github.com/webmaster128/99f48b6e1de51453935a6f32da4ad3ee) 33 | - 2021-11-10: Patch released (https://twitter.com/CosmWasm/status/1458371847758749697) 34 | -------------------------------------------------------------------------------- /CWAs/CWA-2021-002.md: -------------------------------------------------------------------------------- 1 | # CWA-2021-002 2 | -------------------------------------------------------------------------------- /CWAs/CWA-2021-003.md: -------------------------------------------------------------------------------- 1 | # CWA-2021-003: Nondeterministic stacktrace in VmError 2 | 3 | **Affected versions:** wasmvm 0.13.x, 0.14.x, 0.15.x, 0.16.x and 1.x
4 | **Patch expected:** 2021-12-23 10:00 Berlin time
5 | **Patched versions:** wasmvm 0.16.3 and 1.0.0-beta5 6 | 7 | ## Description of the bug 8 | 9 | The bug is a non-determinism bug which can potential cause chain halts. 10 | 11 | ## Description of the patch 12 | 13 | Potentially consensus breaking and can be installed as a soft-fork. 14 | 15 | **Patch** 16 | 17 | 0.16: https://github.com/CosmWasm/cosmwasm/pull/1194 18 | 19 | 1.0: https://github.com/CosmWasm/cosmwasm/pull/1193 20 | 21 | ## History 22 | 23 | - 2021-12-16: Bug reported privately by Yun Yeo from Terra to Confio 24 | - 2021-12-20: Further analysis and proof of concept patch created by Confio 25 | - 2021-12-21: Patch release announced for 2021-12-23 10:00 Berlin time in CosmWasm community call (https://github.com/CosmWasm/cosmwasm/issues/1191) 26 | - 2021-12-21: CWA-2021-003 created and published 27 | - 2021-12-23: Patch released as wasmvm 0.16.3 and 1.0.0-beta4 28 | - 2022-01-02: It was discovered that wasmvm 1.0.0-beta4 does not contain the fix (see https://github.com/CosmWasm/wasmvm/pull/289 for details) 29 | - 2022-01-03: Patch released as [wasmvm 1.0.0-beta5](https://github.com/CosmWasm/wasmvm/releases/tag/v1.0.0-beta5) 30 | -------------------------------------------------------------------------------- /CWAs/CWA-2022-001.md: -------------------------------------------------------------------------------- 1 | # CWA-2022-001: Non-deterministic queries 2 | 3 | **Affected versions:** wasmd 0.16.x-0.23.x
4 | **Patched versions:** wasmd 0.24.0 5 | 6 | ## Description of the bug 7 | 8 | CosmWasm allows contract developers to perform arbitrary queries to the node. Most of those queries access state. However, there are queries that access other node specific information such as node infos or the memory pool. Performing such queries leads to non-deterministic results and as a consequence can lead to consensus failures. 9 | 10 | ## Patch 11 | 12 | In the Terra fork: https://github.com/terra-money/core/commit/2be170249147588f19b41c6daf4393b07ac5b009 13 | 14 | In wasmd: https://github.com/CosmWasm/wasmd/pull/776 15 | 16 | ## History 17 | 18 | - 2022-02-22: Yun Yeo from Terra reports the bug privately to Confio 19 | - 2022-02-22: The bug is tracked in wasmd (https://github.com/CosmWasm/wasmd/issues/762) 20 | - 2022-03-07: The bug gets fixed in wasmd (https://github.com/CosmWasm/wasmd/pull/776) 21 | - 2022-03-09: The fix is released as part of wasmd 0.24.0 22 | - 2022-04-05: Juno halts after block 2578097 23 | - 2022-04-07: the-frey explains the problem in case of Juno in the YouTube livestream "Game of Nodes #4" (https://www.youtube.com/watch?v=y98P_xc7vIY) 24 | - 2022-04-07: Assaf Morami provides details of the Juno halt on Twitter (https://twitter.com/assafmo/status/1511989375730688001) 25 | -------------------------------------------------------------------------------- /CWAs/CWA-2022-002.md: -------------------------------------------------------------------------------- 1 | # CWA-2022-002: Non-normalized bech32 casing in Addr type 2 | 3 | **Affected versions:** wasmvm 0.14.x, 0.15.x, 0.16.x and 1.x
4 | **Patch expected:** 2022-04-06 11:00 Berlin time
5 | **Patched versions:** wasmvm 0.16.7 and 1.0.0-beta10 (cosmwasm-vm 0.16.7 and 1.0.0-beta8) 6 | 7 | ## Patch announcement 8 | 9 | A bug in the CosmWasm stack has been discovered. This bug can potentially **lock funds** and can potentially be used to **bypass checks**. 10 | 11 | Both 0.16 and 1.0 are equally affected. Both versions will receive a patch. Some older versions are probably affected as well but will not receive an update. 12 | 13 | The patch is **consensus breaking**. 14 | 15 | The release is scheduled for Wednesday, April 6th 2022 at 11am Berlin time. An update is recommended for all chains using CosmWasm. 16 | 17 | ## Patch 18 | 19 | 0.16: https://github.com/CosmWasm/cosmwasm/compare/3a59e2bcd5...v0.16.7 20 | 21 | 1.0: https://github.com/CosmWasm/cosmwasm/compare/ad54fd1000a...v1.0.0-beta8 22 | 23 | ## History 24 | 25 | - 2022-04-04: Patch release announced 26 | - 2022-04-06 11h Berlin time: Patch of cosmwasm-vm released (0.16.7 and 1.0.0-beta8) 27 | - 2022-04-06 14h Berlin time: Patch of wasmvm released (0.16.7 and 1.0.0-beta10; delayed by 3 hours due to CircleCI outage) 28 | - 2022-04-06 14:30 Berlin time: Halborn released [high level description of the finding](https://halborn.com/halborn-discovers-zero-day-vulnerability-in-cosmwasm/) 29 | - 2022-04-06 15:15 Berlin time: wasmd 0.25.0 released, including an upgrade to wasmvm 1.0.0-beta10 ([See CHANGELOG](https://github.com/CosmWasm/wasmd/blob/v0.25.0/CHANGELOG.md#v0250-2022-04-06)) 30 | -------------------------------------------------------------------------------- /CWAs/CWA-2022-003.md: -------------------------------------------------------------------------------- 1 | # CWA-2022-003: Nondeterministic Stargate queries 2 | 3 | **Affected versions:** wasmd <= 0.25.x
4 | **Patch expected:** 2022-04-21 11:00 Berlin time
5 | **Patched versions:** wasmd 0.26.0 6 | 7 | ## Patch announcement 8 | 9 | A issue in the CosmWasm stack has been discovered. This issue can potentially **halt the chain**. 10 | 11 | The patch is **potentially consensus breaking**. 12 | 13 | The release is scheduled for Thursday, April 21st 2022 at 11am Berlin time. An update is recommended for all chains using CosmWasm. 14 | 15 | ## Patch 16 | 17 | https://github.com/CosmWasm/wasmd/pull/812 18 | 19 | The patch is potentially consensus breaking and can be installed as a soft-fork. 20 | 21 | ## History 22 | 23 | - 2022-04-19: Patch release announced 24 | - 2022-04-21 11:10h Berlin time: wasmd 0.26.0 released 25 | -------------------------------------------------------------------------------- /CWAs/CWA-2022-004.md: -------------------------------------------------------------------------------- 1 | # CWA-2022-004: Unlimited query stack 2 | 3 | **Affected versions:** wasmd < 0.27.0
4 | **Patch expected:** 2022-05-19 11:00 Berlin time
5 | **Patched versions:** wasmd 0.27.0 6 | 7 | ## Patch announcement 8 | 9 | A issue in the CosmWasm stack has been discovered. This issue can potentially **halt the chain**. 10 | 11 | The patch is **consensus breaking**. 12 | 13 | The release is scheduled for Thursday, May 19th 2022 at 11am Berlin time. An update is recommended for all chains using CosmWasm. 14 | 15 | ## Patch 16 | 17 | https://github.com/CosmWasm/wasmd/pull/867 18 | 19 | ## History 20 | 21 | - 2022-05-17: Patch release announced 22 | - 2022-05-19 10:58h Berlin time: wasmd 0.07.0 released 23 | -------------------------------------------------------------------------------- /CWAs/CWA-2022-005.md: -------------------------------------------------------------------------------- 1 | # CWA-2022-005: Denial of service through predictable contract addresses 2 | 3 | **Affected versions:** wasmd < 0.29.0
4 | **Patched versions:** wasmd 0.29.0 5 | 6 | ## Description of the bug 7 | 8 | Before wasmd 0.29.0, the contract instantiation errored if an account already existed 9 | at the contract address. Since contract addresses are predictable, this can be abused by 10 | attackers who create such accounts. Doing so makes the instantiation impossible. 11 | 12 | The attacker does not need to be the owner of the account they create. 13 | A BaseAccount can be created e.g. by sending tokens to an address via MsgSend. 14 | A ContinuousVestingAccount or DelayedVestingAccount can be created by sending a MsgCreateVestingAccount. 15 | 16 | ### Original report 17 | 18 | The [original report](reports/Potential_Denial_of_Service_in_CW.pdf) [^1] was provided by Jorge and Shane from the Stargaze team. 19 | It explains in detail how to calculate addresses of future contracts instantiations and how to block them 20 | by sending tokens to the addresses, resulting in account creations. 21 | 22 | ### Background 23 | 24 | The root cause of the issue was a wrong understanding of the Cosmos SDK account creation logic for module accounts. 25 | As you can see above, any user can decide the account type of an address they obtain knowledge of, no matter if they own it or now. A BaseAccount and vesting accounts can be created by default Cosmos SDK messages. App chains can also define their custom account types which may be possible to create in a similar way. 26 | 27 | Similar problems have occurred in other places: 28 | 29 | - Make gamm pools override addr already exists ([osmosis-labs/osmosis#2725](https://github.com/osmosis-labs/osmosis/pull/2725)) 30 | - fix: return error on existing non-interchainaccounts for generated address ([cosmos/ibc-go@02dc44e](https://github.com/cosmos/ibc-go/commit/02dc44eb03cec3575f0cb0a4a89c576ceeac034c#diff-b7761fe9cc6fb6a0f056e120e9f22509af9c82bbc1405ec5e90f4f9433789a76R44)) 31 | 32 | This advisory was not delayed in order to protect chains affected by one of those issues. 33 | 34 | ## Patch 35 | 36 | In [#996], wasmd introduced a change to how existing accounts are handled when a contract is instantiated. 37 | The new logic is: 38 | 39 | - If there is no account, create a BaseAccount 40 | - If there is a BaseAccount, use it. See [`defaultAcceptedAccountTypes`](https://github.com/CosmWasm/wasmd/blob/v0.31.0-rc2/x/wasm/keeper/keeper.go#L81) for how to customize this. 41 | - If there is a ContinuousVestingAccount or DelayedVestingAccount, prune it. See [`accountPruner`](https://github.com/CosmWasm/wasmd/blob/v0.29.0/x/wasm/keeper/keeper.go#L104) for how to customize this. 42 | - If there is a different account type, raise an error 43 | 44 | ## History 45 | 46 | - 2022-08-01: Incident report by Stargaze team members received 47 | - 2022-08-19: Internal research completed 48 | - 2022-09-09: Fix merged as part of the refactoring [#996] 49 | - 2022-10-10: Fix released as part of [wasmd 0.29.0](https://github.com/CosmWasm/wasmd/blob/main/CHANGELOG.md#v0290-2022-10-10). No advisory was created to not create attention for the bug. 50 | - 2023-02-22: The topic was [discussed on Twitter](https://twitter.com/larry0x/status/1629151643567636480), making this attack vector public knowledge. 51 | - 2023-03-13: Advisory created 52 | - 2023-03-30: Advisory published 53 | 54 | [#996]: https://github.com/CosmWasm/wasmd/pull/996 55 | 56 | [^1]: IPFS mirrors: [one](https://nftstorage.link/ipfs/bafkreifwjbkbzzh5hsc63wxn4ghvd7qk3ma2htmndtzfjtpwqdkovhzt4e) and [two](https://gateway.pinata.cloud/ipfs/bafkreifwjbkbzzh5hsc63wxn4ghvd7qk3ma2htmndtzfjtpwqdkovhzt4e) 57 | -------------------------------------------------------------------------------- /CWAs/CWA-2023-001.md: -------------------------------------------------------------------------------- 1 | # CWA-2023-001: Potential overflow in cache statistics 2 | 3 | **Affected versions:** wasmvm < 1.2.2 (cosmwasm-vm < 1.2.3)
4 | **Patched versions:** wasmvm 1.2.2 (cosmwasm-vm 1.2.3) 5 | 6 | ## Description of the bug 7 | 8 | By using unchecked increments in [cache statistics](https://github.com/CosmWasm/cosmwasm/blob/v1.2.2/packages/vm/src/cache.rs#L28-L34) 9 | it is possible to trigger an overflow after ~4 billion calls. 10 | Since cosmwasm-vm [is compiled with](https://github.com/CosmWasm/wasmvm/blob/7db6c12b82bf11908dd8cdadd59671a840154657/libwasmvm/Cargo.toml#L57) `overflow-checks = true` in wasmvm, exceeding the uint32 range will lead to panics. 11 | 12 | For nodes that are accessible by clients, this can happen in case of excessive external calls. 13 | 14 | For nodes that only have cache hits as part of block production, it is unclear if the required numbers of calls can be reached. 15 | It might be possible for pinned contracts which have 0 instantiation cost by default. 16 | 17 | ## Patch 18 | 19 | https://github.com/CosmWasm/cosmwasm/pull/1630 released as part of cosmwasm-vm 1.2.3 and wasmvm 1.2.2. 20 | 21 | Chains running wasmvm 1.2.1, you can apply the patch with 22 | 23 | ```sh 24 | go mod edit -replace github.com/CosmWasm/wasmvm=github.com/CosmWasm/wasmvm@v1.2.2 25 | ``` 26 | 27 | Chain running older versions of wasmvm should upgrade to 1.2.1 first. 28 | 29 | ## Workarounds 30 | 31 | For unpatched systems it can help to restart nodes regularly in order to make it hard to hit the range limit in practice. 32 | 33 | ## History 34 | 35 | - 2023-03-06: The issue was reported by researchers of Oak Security as part of their work wrapping up the CosmWasm 1.0 audit. 36 | - 2023-03-13: A patch was developed by Confio. 37 | - 2023-03-22: The patch was merged and released as part of cosmwasm-vm 1.2.3. 38 | - 2023-03-27: [CosmWasm audit report](https://github.com/oak-security/audit-reports/tree/master/CosmWasm) is published, listing this issue as finding No 1. 39 | - 2023-04-06: [wasmvm 1.2.2](https://github.com/CosmWasm/wasmvm/releases/tag/v1.2.2) was released, including the patch. 40 | - 2023-04-12: Advisory is written 41 | - 2023-04-13: Advisory is published 42 | -------------------------------------------------------------------------------- /CWAs/CWA-2023-002.md: -------------------------------------------------------------------------------- 1 | # CWA-2023-002: Stack overflow crash (Codename Cherry) 2 | 3 | **Affected versions:** 4 | 5 | - cosmwasm-vm < 1.0.1, < 1.1.10, < 1.2.4 6 | - wasmvm < 1.0.1, < 1.1.2, < 1.2.3 7 | 8 | **Patched versions:** 9 | 10 | - wasmvm 1.0.1 (cosmwasm-vm 1.0.1) 11 | - wasmvm 1.1.2 (cosmwasm-vm 1.1.10) 12 | - wasmvm 1.2.3 (cosmwasm-vm 1.2.4) 13 | 14 | ## Description of the bug 15 | 16 | The bug allows a recursive loop between guest and host using Wasm imports and exports, leading to a stack overflow crash of the VM. 17 | 18 | A malicious contract can implement exports such as `extern "C" fn allocate(size: usize) -> u32` differently than the standard library does. By calling a Wasm import such as `addr_validate` in the `allocate` implementation, the loop looks like 19 | 20 | - contracts calls import `addr_validate` 21 | - host calls export `allocate` 22 | - contracts calls import `addr_validate` 23 | - host calls export `allocate` 24 | - contracts calls import `addr_validate` 25 | - ... 26 | 27 | After approximately 140 recursions, the process crashes with a stack overflow. 28 | 29 | Non-malicious contracts can not trigger the loop as the regular uses of cosmwasm-std only have a call depths of up to 2. 30 | 31 | A call depth limit fixes the problem. 32 | 33 | ## Patch Announcement 34 | 35 | > Tomorrow, on Tuesday, April 18th at 17:00 Berlin time (15h UTC/ 8am Pacific Time) Confio will release a fix for a medium severity security issue in CosmWasm. The patch for this issue will be distributed and communicated via the regular CosmWasm release process. 36 | > 37 | > This issue impacts the availability of a chain running CosmWasm, and could allow for a malicious contract to trigger a crash that can halt the chain. Though chains that use CosmWasm with permissioned uploads or instantiation are not directly at risk, we advise chains that support permissionless contract instantiation to be prepared to apply the patch and to coordinate network upgrades as quickly as their processes allow to fully remediate the issue. 38 | > 39 | > The patch is not a consensus breaking security fix and can be applied in-place, and instructions will be provided to all maintainers tomorrow as part of the release process. We anticipate that the patch will be a simple, straightforward fix for chain maintainers as it is a matter of replacing one Go dependency and rebuilding the application. 40 | 41 | publish at https://forum.cosmos.network/t/upcoming-cosmwasm-security-patch-codename-cherry/10474 42 | 43 | ## Patch 44 | 45 | The actual patch is done in the codebase of cosmwasm-vm: 46 | https://github.com/CosmWasm/cosmwasm/commit/3795f5cd03288405335d4fb0c46c239dbf4c7e60 47 | 48 | It is included in the following releases: 49 | 50 | - [cosmwasm-vm 1.0.1](https://github.com/CosmWasm/cosmwasm/compare/v1.0.0...v1.0.1) 51 | - [cosmwasm-vm 1.1.10](https://github.com/CosmWasm/cosmwasm/compare/v1.1.9...v1.1.10) 52 | - [cosmwasm-vm 1.2.4](https://github.com/CosmWasm/cosmwasm/compare/v1.2.3...v1.2.4) 53 | 54 | ### Patch release 55 | 56 | The patch is shipped to chain developers in the form of a wasmvm release. 57 | Your chain might depend on wasmvm directly or have it as a transitive dependency through wasmd. 58 | 59 | The upgrade paths are the following: 60 | 61 | | Current wasmvm version | Upgrade path | Note | 62 | | ---------------------- | --------------------------------------------- | ---- | 63 | | < 1.0.0 | Unsupported | [^1] | 64 | | 1.0.0 | Upgrade wasmvm to 1.0.1 | | 65 | | 1.1.1 | Upgrade wasmvm to 1.1.2 | | 66 | | 1.2.0 | Upgrade to 1.2.2 first, then upgrade to 1.2.3 | [^2] | 67 | | 1.2.1 | Upgrade wasmvm to 1.2.3 | [^3] | 68 | | 1.2.2 | Upgrade wasmvm to 1.2.3 | | 69 | 70 | [^1]: Upgrade to any of the supported versions first. 71 | 72 | [^2]: See https://github.com/CosmWasm/wasmvm/issues/419 for required wasmd changes 73 | 74 | [^3]: No typo. You can skip 1.2.2 and upgrade from 1.2.1 -> 1.2.3 directly. 75 | 76 | ### Applying the patch 77 | 78 | 1. Go tho the Go project containing the `go.mod`. 79 | 2. One of those: 80 | - If there is a direct `github.com/CosmWasm/wasmvm` dependency listed already, update that to 1.0.1, 1.1.2 or 1.2.3 as listed above. Run . 81 | - Otherwise you have `wasmvm` as an indirect dependency of wasmd. Use `go list -m github.com/CosmWasm/wasmvm` to get the current version and then use `go mod edit -replace github.com/CosmWasm/wasmvm=github.com/CosmWasm/wasmvm@v` where `` is one of 1.0.1, 1.1.2 or 1.2.3 as listed above. 82 | 3. Run `go mod tidy` to download the dependency and update `go.sum` 83 | 4. Check the resulting version after the replace `go list -m github.com/CosmWasm/wasmvm`. 84 | 5. Build, test, deploy according to your project's established flow. 85 | 86 | After building your chain, you can check the libwasmvm version loaded at runtime with 87 | 88 | ```sh 89 | # Replace with you node name 90 | query wasm libwasmvm-version 91 | ``` 92 | 93 | ### Wasm module cache issue 94 | 95 | If you upgrade from wasmvm 1.2.{0,1} to wasmvm 1.2.{2,3} please note that 96 | most likely the machine format of the compiled Wasm modules has changed, 97 | potentially leading to segmentation faults when running the new binary. 98 | 99 | To avoid this problem, instruct your validators to delete the cache folder 100 | `/wasm/wasm/cache/` (replace with the location your project uses) 101 | after they stopped the node. 102 | 103 | See https://github.com/CosmWasm/wasmvm/issues/426 104 | 105 | ## Timeline 106 | 107 | - 2023-02-27: Confio receives a detailed vulnerability report from [Felix Wilhelm](https://twitter.com/_fel1x) of Jump Crypto, including instructions how to abuse it 108 | - 2023-03-13: Confio confirms reporter to the reporter 109 | - Further research is done and a deployment strategy is developed 110 | - 2023-04-12: Patch created 111 | - 2023-04-12: Patch release announced through [the CosmWasm security notification list](https://github.com/CosmWasm/advisories/blob/main/NOTIFICATION_LIST.md) 112 | - 2023-04-12 to 2023-04-17: Deployment coordination 113 | - 2023-04-17: Patch announcement is [published in the Cosmos forum](https://forum.cosmos.network/t/upcoming-cosmwasm-security-patch-codename-cherry/10474) 114 | - 2023-04-18 14:30 UTC: Advisory is released 115 | - 2023-04-18 15:00 UTC: Patch is released 116 | - 2023-04-18 16:15 UTC: All planned wasmvm versions are build and tagged 117 | - 2023-06-01: A detailed description of the vulnerability including attack instructions 118 | [are published by Felix Wilhelm from Jump Crypto](https://jumpcrypto.com/writing/stop-the-chain-cosmwasm-stack-overflow/) 119 | - 2023-06-19: Bug description added to CWA-2023-002 120 | -------------------------------------------------------------------------------- /CWAs/CWA-2023-003.md: -------------------------------------------------------------------------------- 1 | # CWA-2023-003: Inefficient ListChannels query implementation 2 | 3 | **Severity** 4 | 5 | Medium 6 | 7 | **Affected versions:** 8 | 9 | - wasmd < 0.42.0 10 | 11 | **Patched versions:** 12 | 13 | - wasmd 0.42.0 (released 2023-09-20; upgrade to 0.43.0 or higher because 0.42.0 was retracted for a different reason) 14 | 15 | ## Description of the bug 16 | 17 | The original implementation of [IbcQuery::ListChannels](https://github.com/CosmWasm/cosmwasm/blob/v1.4.1/packages/std/src/query/ibc.rs#L16-L20) 18 | in wasmd looped over all channels of the chain and filtered out the relevant ones. 19 | This can be an expensive operation if there are a lot of channels on a chain. 20 | Since store access is gas metered, this eventually leads to an out of gas which causes 21 | the transaction to fail. 22 | 23 | ## Patch (partially fixed) 24 | 25 | By using an implementation that filters channels by port on the storage level, we 26 | mitigate the problem to a large degree. 27 | It makes the operation much more gas efficient, reducing 28 | the risk of a DoS attack because the chain as a whole may contain a lot of channels 29 | whereas the number of channels per port is typically smaller. 30 | 31 | In https://github.com/CosmWasm/wasmd/pull/1620 you find two changes: 32 | 33 | - The implementation efficiency discussed here (`channelKeeper.IterateChannels` -> `channelKeeper.GetAllChannelsWithPortPrefix`) 34 | - The fix of the wrong default value for an unset port (unrelated to this document) 35 | 36 | However, it might still be possible to have a large number of channels that belong to 37 | a given port. In that case the query is still problematic since it does not support pagination. 38 | 39 | ## Conclusion & call to action for contract developers 40 | 41 | As iterating over all channels for a given port is a potentially unbound operation, 42 | contract developers should avoid using the query altogether and look for alternatives. 43 | Those are a few scenarios we see, but there might be more: 44 | 45 | 1. In some cases [IbcQuery::Channel](https://github.com/CosmWasm/cosmwasm/blob/v1.4.1/packages/std/src/query/ibc.rs#L21-L29) is sufficient. 46 | 2. In other cases the contract might need to store channels manually as part of the IBC handshake 47 | in a way that allows it to access use them later on, even if the number of channels is very big. 48 | 3. Some contracts might limit connectivity to one channel only and error in the IBC handshake when more channels are created. 49 | 50 | ## Timeline 51 | 52 | - The issue was reported by researchers of Oak Security as part of their work wrapping up the wasmd audit. 53 | - 2023-09-14: The (partial) patch is merged (https://github.com/CosmWasm/wasmd/pull/1620) 54 | - 2023-09-20: wasmd 0.42.0 is released, containing the patch 55 | - 2023-10-20: Advisory is written & notification list is informed 56 | - 2023-10-23: Advisory is published without details of the bug 57 | - 2023-10-30: Full advisory published 58 | -------------------------------------------------------------------------------- /CWAs/CWA-2023-004.md: -------------------------------------------------------------------------------- 1 | # CWA-2023-004: Excessive number of function paramters in compiled Wasm 2 | 3 | **Severity** 4 | 5 | High 6 | 7 | **Affected versions:** 8 | 9 | - cosmwasm-vm < 1.2.8, < 1.3.4, < 1.4.2, < 1.5.1 10 | - wasmvm < 1.2.5, < 1.3.1, < 1.4.2, < 1.5.1 11 | 12 | Versions in the 0.x, 1.0.x or 1.1.x range are probably affected as well but 13 | [reached end of life](https://medium.com/cosmwasm/eol-for-cosmwasm-1-0-1-3-22df4b34b13c) 14 | and are neither patched nor analyzed. 15 | 16 | **Patched versions:** 17 | 18 | - [wasmvm 1.2.6](https://github.com/CosmWasm/wasmvm/releases/tag/v1.2.6) (cosmwasm-vm 1.2.8) 19 | - [wasmvm 1.3.1](https://github.com/CosmWasm/wasmvm/releases/tag/v1.3.1) (cosmwasm-vm 1.3.4) 20 | - [wasmvm 1.4.2](https://github.com/CosmWasm/wasmvm/releases/tag/v1.4.2) (cosmwasm-vm 1.4.2) 21 | - [wasmvm 1.5.1](https://github.com/CosmWasm/wasmvm/releases/tag/v1.5.1) (cosmwasm-vm 1.5.1) 22 | 23 | ## Description of the bug 24 | 25 | In a Wasm file, the signature of a function is stored separately and referenced in the function. 26 | This is demonstrated in the following example where you see 27 | 28 | 1. a function signature with two integers input and one integer output is defined 29 | 2. two functions referencing this signature are defined (`a+b` and `a-b`) 30 | 3. the two functions are exported under the names "sum" and "diff" 31 | 32 | ```wasm 33 | (module 34 | (type $binary_operation_t (func (param i32 i32) (result i32))) 35 | (func $sum_f (type $binary_operation_t) 36 | local.get 0 37 | local.get 1 38 | i32.add) 39 | (func $diff_f (type $binary_operation_t) 40 | local.get 0 41 | local.get 1 42 | i32.sub) 43 | (export "sum" (func $sum_f)) 44 | (export "diff" (func $diff_f)) 45 | ) 46 | ``` 47 | 48 | This is harmless in Wasm bytecode, but once the function is compiled, signatures are inlined multiple times 49 | in the compiled code. 50 | Using a large signature that is referenced by a large number of functions, 51 | you get pretty much a compression bomb – small in the uploaded Wasm blob but huge after compilation. 52 | This can lead to 53 | modules of several hundreds of megabytes or even gigabytes, leading to unexpected cache behaviour, unexpected disk 54 | consumption, slowdows and in some cases even crashes of the node process. 55 | 56 | More in-depth description including the technical details can be found in the 57 | [article](https://www.certik.com/resources/blog/risk-and-security-enhancement-for-app-chains-an-in-depth-writeup-of-cwa-2023) 58 | released later by CertiK team. 59 | 60 | ## Patch 61 | 62 | - 1.5: https://github.com/CosmWasm/cosmwasm/compare/v1.5.0...v1.5.1 63 | - 1.4: https://github.com/CosmWasm/cosmwasm/compare/v1.4.1...v1.4.2 64 | - 1.3: https://github.com/CosmWasm/cosmwasm/compare/v1.3.3...v1.3.4 65 | - 1.2: https://github.com/CosmWasm/cosmwasm/compare/v1.2.7...v1.2.8 66 | 67 | ## Installing the patch 68 | 69 | The patch will be shipped in releases of wasmvm. You can update more or less as follows: 70 | 71 | 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 72 | 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.1, 1.4.2, 1.3.1 or 1.2.6 depending on which minor version you are; `go mod tidy`; commit. 73 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. 74 | 4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.1, 1.4.2, 1.3.1 or 1.2.6. 75 | 5. Follow your regular practices to deploy chain upgrades. 76 | 77 | To double check if the correct libary version is loaded at runtime, use this query: 78 | ` query wasm libwasmvm-version`. It must show 1.5.1, 1.4.2, 1.3.1 or 1.2.6. 79 | 80 | ## Patch Announcement 81 | 82 | Originally posted at https://forum.cosmos.network/t/high-severity-security-patch-upcoming-on-wednesday-10th-cwa-2023-004/12840 83 | 84 | > On Wednesday, January 10th between 10:00 and 12:00 Berlin time Confio will release a fix for a high severity security issue in the CosmWasm virtual machine tracked as CWA-2023-004. The patch for this issue will be distributed and communicated via the regular CosmWasm release process. 85 | > 86 | > This issue impacts the availability of a chain running CosmWasm. Chains that use CosmWasm with permissioned uploads or instantiations are not directly at risk. We advise chains that support permissionless contract instantiation to be prepared to apply the patch and to coordinate network upgrades as quickly as their processes allow to fully remediate the issue. 87 | > 88 | > The patch is a non consensus breaking security fix and can be applied in-place. Instructions will be provided as part of the release process. We anticipate that the patch will be a simple, straightforward fix for chain maintainers as it is a matter of updating the wasmvm Go dependency and rebuilding the application. 89 | > 90 | > Patches will be provided for wasmvm 1.2, 1.3, 1.4 and 1.5. Please note that 1.2 reached end of life and this is the last patch for this version. 91 | 92 | **Update 2024-01-09** 93 | 94 | > I had to make a small correction to the announcement: Chains that allow permissionless uploads and permissioned instantiations are partially affected as well and should upgrade. A chain is only safe if no malicious Wasm can be stored. 95 | 96 | ## Acknowledgement 97 | 98 | We express our appreciation to the CertiK team for discovering and responsibly reporting this bug. The detailed report made it possible to quickly understand the issue, reproduce it and confirm its validity. It was followed by collaborative efforts in developing and implementing the best possible patch for CosmWasm. 99 | 100 | We extend our gratitude to the CertiK team for their professionalism and commitment to maintaining the security of CosmWasm and the broader crypto ecosystem. Our appreciation also extends to the dedicated community of white-hats, whose continuous efforts play a crucial role in safeguarding the broader crypto ecosystem. 101 | 102 | ## Timeline 103 | 104 | - 2023-12-13: CertiK files bug report to Confio. 105 | - 2023-12-13: Confio security contributors confirm the report. 106 | - 2023-12-14: Confio security contributors confirm the reproducibility of the bug. 107 | - 2023-12-21: Confio developed the patch internally, planning for release in early January. 108 | - 2024-01-08: CosmosWasm shares the security patch with CertiK for review. 109 | - 2024-01-08: CertiK confirms the effectiveness of the security patch. 110 | - 2024-01-08: Patch release announcement is sent to the notification list and posted in the Cosmos Hub Forum. 111 | - 2024-01-09: Backports to CosmWasm 1.2, 1.3, 1.4, 1.5 are finalized. 112 | - 2024-01-10: Patch released 113 | - 2024-08-21: Title and description added to advisory 114 | -------------------------------------------------------------------------------- /CWAs/CWA-2024-001.md: -------------------------------------------------------------------------------- 1 | # CWA-2024-001: Stack overflow in serde-json-wasm 2 | 3 | **Severity** 4 | 5 | Low[^1] 6 | 7 | **Affected versions:** serde-json-wasm < 1.0.1, < 0.5.2 8 | **Patched versions:** serde-json-wasm 1.0.1, 0.5.2 9 | 10 | ## Description of the bug 11 | 12 | When parsing untrusted, deeply nested JSON, the stack may overflow. 13 | This leads to the contract being aborted with a runtime error. 14 | 15 | ## Patch 16 | 17 | - 0.5: https://github.com/CosmWasm/serde-json-wasm/pull/64 18 | - 1.0: https://github.com/CosmWasm/serde-json-wasm/pull/65 19 | 20 | ## Applying the patch 21 | 22 | 1. Run `cargo update -p serde-json-wasm` in your contract's project 23 | 2. Ensure the version of "serde-json-wasm" in `Cargo.lock` is 0.5.2 or 1.0.1 24 | 25 | ## Acknowledgement 26 | 27 | This issue was found by 0xfocu5 and Taolaw who reported it to the Cosmos Bug Bounty Program on 28 | HackerOne on 2024-01-18. 29 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 30 | program by reporting a bug, please see . 31 | 32 | ## Timeline 33 | 34 | - 2024-01-18: Confio receives a report by 0xfocu5 and Taolaw 35 | - 2024-01-19: Confio security contributors confirm the report and reproducibility of the bug. 36 | - 2024-01-22: Confio developed the patch internally. 37 | - 2024-01-23: Patch released 38 | - 2024-01-24: [Submitted to](https://github.com/rustsec/advisory-db/pull/1867) RustSec Advisory Database 39 | - 2024-02-01: Advisory published 40 | - 2024-02-09: RustSec Advisory Database entry created ([RUSTSEC-2024-0012](https://rustsec.org/advisories/RUSTSEC-2024-0012.html)) 41 | 42 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 43 | -------------------------------------------------------------------------------- /CWAs/CWA-2024-002.md: -------------------------------------------------------------------------------- 1 | # CWA-2024-002: Arithmetic overflows in cosmwasm-std 2 | 3 | **Severity** 4 | 5 | Medium[^1] 6 | 7 | **Affected versions:** 8 | 9 | - cosmwasm-std >= 2.0.0, < 2.0.2 10 | - cosmwasm-std >= 1.5.0, < 1.5.4 11 | - cosmwasm-std >= 1.3.0, < 1.4.4 12 | 13 | **Patched versions:** cosmwasm-std 1.4.4, 1.5.4, 2.0.2 14 | 15 | ## Description of the bug 16 | 17 | Some mathematical operations in `cosmwasm-std` use wrapping math instead of 18 | panicking on overflow for very big numbers. This can lead to wrong calculations in contracts 19 | that use these operations. 20 | 21 | Affected functions: 22 | 23 | - `Uint{256,512}::pow` / `Int{256,512}::pow` 24 | - `Int{256,512}::neg` (the unary negation operator `-`). The only value that can overflow is `Int{256,512}::MIN`. 25 | 26 | Affected if `overflow-checks = true` is not set: 27 | 28 | - `Uint{64,128}::pow` / `Int{64,128}::pow` 29 | - `Int{64,128}::neg` (the unary negation operator `-`). The only value that can overflow is `Int{64,128}::MIN`. 30 | 31 | ## Patch 32 | 33 | - 1.4: https://github.com/CosmWasm/cosmwasm/commit/607e7fc710fb9441096e8edbaa12879b552c8f65 34 | - 1.5: https://github.com/CosmWasm/cosmwasm/commit/eff79bcbe73b61178817aacf0a6449437adad6a9 35 | - 2.0: https://github.com/CosmWasm/cosmwasm/commit/a6a639e09adc355b5f889a09141649005cb08a46 36 | 37 | ## Applying the patch 38 | 39 | 1. Run `cargo update -p cosmwasm-std` in your contract's project 40 | 2. Ensure the version of "cosmwasm-std" in `Cargo.lock` is 1.4.4, 1.5.4 or 2.0.2 41 | 42 | ## Timeline 43 | 44 | - 2024-02-26: Confio security contributor finds this issue during testing. 45 | - 2024-02-28: Confio and Amulet meet to discuss the issue and investigate the potential impact. 46 | - 2024-04-16: Confio developed the patch internally. 47 | - 2024-04-22: The upcoming patch is announced through the CosmWasm advisories notification list and publicly on X (https://twitter.com/CosmWasm/status/1782439624608030771). 48 | - 2024-04-24: The patch is released. 49 | - 2024-04-24: RustSec Advisory Database entry created ([RUSTSEC-2024-0338](https://rustsec.org/advisories/RUSTSEC-2024-0338.html)) 50 | 51 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 52 | -------------------------------------------------------------------------------- /CWAs/CWA-2024-003.md: -------------------------------------------------------------------------------- 1 | # CWA-2024-003: Large address count in ValidateBasic 2 | 3 | **Severity** 4 | 5 | Low (Moderate + Unlikely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmd < 0.52.0 10 | 11 | **Patched versions:** wasmd 0.52.0 12 | 13 | ## Description of the bug 14 | 15 | In multiple wasmd message types it was possible to add a large number of addresses which might lead to unexpected resource consumption in `ValidateBasic`. 16 | 17 | 1. The following message types call [assertValidAddresses] via `func (a AccessConfig) ValidateBasic() error` to ensure the addresses are in the correct format and do not contain duplicates. An attacker can provide many addresses in `AccessConfig.Addresses` and specify the `AccessConfig.Permission` as `AccessTypeAnyOfAddresses`. 18 | 19 | - [MsgStoreAndInstantiateContract] 20 | - [MsgStoreAndMigrateContract] 21 | - [MsgStoreCode] 22 | - [MsgUpdateInstantiateConfig] 23 | - [MsgUpdateParams] 24 | 25 | 2. [MsgAddCodeUploadParamsAddresses] and [MsgRemoveCodeUploadParamsAddresses] call the [checkDuplicatedAddresses] function to ensure the addresses are in the correct format and do not contain duplicates. An attacker can provide many addresses in `msg.Addresses`. 26 | 27 | Both cases may leads to a large memory consumption in the map, as well as address validation efforts and a slowdown of map operations. 28 | 29 | The number of addresses a malicious actor can insert here is limited by the gas charged 30 | for transaction sizes (x/auth parameter `tx_size_cost_per_byte`) 31 | and the block size limit (CometBFT consensus setting `max_bytes`). 32 | 33 | [MsgUpdateInstantiateConfig]: https://github.com/CosmWasm/wasmd/blob/v0.51.0/x/wasm/types/tx.go#L322 34 | [MsgStoreAndInstantiateContract]: https://github.com/CosmWasm/wasmd/blob/v0.51.0/x/wasm/types/tx.go#L451 35 | [MsgStoreAndMigrateContract]: https://github.com/CosmWasm/wasmd/blob/v0.51.0/x/wasm/types/tx.go#L539 36 | [MsgStoreCode]: https://github.com/CosmWasm/wasmd/blob/v0.51.0/x/wasm/types/tx.go#L70 37 | [MsgUpdateParams]: https://github.com/CosmWasm/wasmd/blob/v0.51.0/x/wasm/types/tx.go#L341 38 | [assertValidAddresses]: https://github.com/CosmWasm/wasmd/blob/v0.51.0/x/wasm/types/params.go#L137 39 | [MsgAddCodeUploadParamsAddresses]: https://github.com/CosmWasm/wasmd/blob/v0.51.0/x/wasm/types/tx.go#L475 40 | [MsgRemoveCodeUploadParamsAddresses]: https://github.com/CosmWasm/wasmd/blob/v0.51.0/x/wasm/types/tx.go#L495 41 | [checkDuplicatedAddresses]: https://github.com/CosmWasm/wasmd/blob/v0.51.0/x/wasm/types/tx.go#L500-L509 42 | 43 | ## Patch 44 | 45 | The new unified [`validateBech32Addresses`] replaces `assertValidAddresses` and `checkDuplicatedAddresses`. It 46 | 47 | 1. Checks for a min and max element count 48 | 2. For each element checks 49 | - address validity 50 | - uniqueness 51 | 52 | The check in 1. puts an upper bound on the loop in 2. as well as the size of the map `index`. 53 | 54 | See https://github.com/CosmWasm/wasmd/pull/1926 55 | 56 | [`validateBech32Addresses`]: https://github.com/CosmWasm/wasmd/blob/v0.52.0/x/wasm/types/validation.go#L102-L126 57 | 58 | ## Applying the patch 59 | 60 | Ensure you use wasmd 0.52 or higher in your Go project: 61 | `go list -m github.com/CosmWasm/wasmd` 62 | 63 | Alternatively you can backport the patch from https://github.com/CosmWasm/wasmd/pull/1926. 64 | 65 | ## Acknowledgement 66 | 67 | This issue was found by [Richie](https://github.com/sushiwushi) who reported it to the Cosmos Bug Bounty Program on 68 | HackerOne. 69 | 70 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 71 | program by reporting a bug, please see . 72 | 73 | ## Timeline 74 | 75 | - 2024-04-21: Bug reported via Cosmos HackerOne 76 | - 2024-04-25: A patch was created internally 77 | - 2024-07-11: The patch is published and released with wasmd 0.52 78 | 79 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 80 | -------------------------------------------------------------------------------- /CWAs/CWA-2024-004.md: -------------------------------------------------------------------------------- 1 | # CWA-2024-004: Gas mispricing in cosmwasm-vm 2 | 3 | **Severity** 4 | 5 | Medium (Moderate + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmvm >= 2.1.0, < 2.1.2 10 | - wasmvm >= 2.0.0, < 2.0.3 11 | - wasmvm < 1.5.4 12 | - cosmwasm-vm >= 2.1.0, < 2.1.3 13 | - cosmwasm-vm >= 2.0.0, < 2.0.6 14 | - cosmwasm-vm < 1.5.7 15 | 16 | **Patched versions:** 17 | 18 | - wasmvm 1.5.4, 2.0.3, 2.1.2 19 | - cosmwasm-vm 1.5.7, 2.0.6, 2.1.3 20 | 21 | ## Description of the bug 22 | 23 | Some Wasm operations take significantly more gas than our benchmarks indicated. 24 | This can lead to missing the [gas target](https://github.com/CosmWasm/cosmwasm/blob/e50490c4199a234200a497219b27f071c3409f58/docs/GAS.md#cosmwasm-gas-pricing) we defined by a factor of ~10x. 25 | This means a malicious contract could take 10 times as much time to execute as expected, 26 | which can be used to temporarily DoS a chain. 27 | 28 | ## Patch 29 | 30 | See the cosmwasm-vm with gas price adjustments: 31 | 32 | - 1.5: https://github.com/CosmWasm/cosmwasm/compare/v1.5.5...v1.5.7 33 | - 2.0: https://github.com/CosmWasm/cosmwasm/compare/v2.0.4...v2.0.6 34 | - 2.1: https://github.com/CosmWasm/cosmwasm/compare/v2.1.1...v2.1.3 35 | 36 | ## Applying the patch 37 | 38 | The patch will be shipped in releases of wasmvm. You can update more or less as follows: 39 | 40 | 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 41 | 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.4, 2.0.3 or 2.1.2 depending on which minor version you are; `go mod tidy`; commit. 42 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. 43 | 4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.4, 2.0.3 or 2.1.2. 44 | 5. Follow your regular practices to deploy chain upgrades. 45 | 46 | To double check if the correct libary version is loaded at runtime, use this query: 47 | ` query wasm libwasmvm-version`. It must show 1.5.4, 2.0.3 or 2.1.2. 48 | 49 | The patch is consensus breaking and requires a coordinated upgrade. 50 | 51 | ## Acknowledgement 52 | 53 | This issue was found by [unknown feature](https://github.com/unknownfeature) who reported it to the Cosmos Bug Bounty Program on 54 | HackerOne. 55 | 56 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 57 | program by reporting a bug, please see . 58 | 59 | ## Timeline 60 | 61 | - 2024-07-31: Confio receives a report through the Amulet program. 62 | - 2024-08-01: Confio security contributors confirm the report. 63 | - 2024-08-02: Confio developed the patch internally. 64 | - 2024-08-08: Patch released 65 | - 2024-08-08: Updated patched versions to ones that will invalidate the cache 66 | 67 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 68 | -------------------------------------------------------------------------------- /CWAs/CWA-2024-005.md: -------------------------------------------------------------------------------- 1 | # CWA-2024-005: Stackoverflow in wasmd 2 | 3 | **Severity** 4 | 5 | High (Critical + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmd >= 0.50.0, < 0.53.0 10 | - wasmd < 0.46.0 11 | 12 | **Patched versions:** wasmd 0.53.0, 0.46.0 13 | 14 | ## Description of the bug 15 | 16 | (Blank for now. We'll add more detail once chains had a chance to upgrade.) 17 | 18 | ## Patch 19 | 20 | - 0.53.0 (`main` branch): 21 | - 0.46.0 (`releases/v0.4x` branch): 22 | 23 | ## Applying the patch 24 | 25 | The patch will be shipped in a wasmd release. You can update more or less as follows: 26 | 27 | 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 28 | 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.0 (Cosmos SDK 0.50 compatible) or 0.46.0 (Cosmos SDK 0.47 compatible) depending on which version you are on right now; `go mod tidy`; commit. 29 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. 30 | 4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.0 or 0.46.0. 31 | 5. Follow your regular practices to deploy chain upgrades. 32 | 33 | ## Acknowledgement 34 | 35 | This issue was found by [unknown feature](https://github.com/unknownfeature) who reported it to the Cosmos Bug Bounty Program on 36 | HackerOne. 37 | 38 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 39 | program by reporting a bug, please see . 40 | 41 | ## Timeline 42 | 43 | - 2024-06-28: IBC Team receives a report through the Cosmos bug bounty program maintained by Amulet. 44 | - 2024-07-18: Confio receives information about the report from the IBC Team. 45 | - 2024-08-02: Confio developed the patch internally. 46 | - 2024-08-19: Patch release announced though notifications list. 47 | - 2024-08-20: Patch release announced on X: . 48 | - 2024-08-21: Patch released. 49 | 50 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 51 | -------------------------------------------------------------------------------- /CWAs/CWA-2024-006.md: -------------------------------------------------------------------------------- 1 | # CWA-2024-006: Non-deterministic module_query_safe query 2 | 3 | **Severity** 4 | 5 | Medium (Moderate + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmd 0.52.0 10 | 11 | **Patched versions:** wasmd 0.53.0 12 | 13 | ## Description of the bug 14 | 15 | Wasmd's `SmartContractState` query was marked as `module_query_safe` in wasmd 0.52.0, 16 | but in some cases, this query can be non-deterministic. This can lead to a chain halt. 17 | 18 | ## Patch 19 | 20 | The patch is part of 21 | and added in here for the sake of better visibility: 22 | 23 | 1. Remove this annotation 24 | ```diff 25 | diff --git a/proto/cosmwasm/wasm/v1/query.proto b/proto/cosmwasm/wasm/v1/query.proto 26 | index 14b0c427d..72523c134 100644 27 | --- a/proto/cosmwasm/wasm/v1/query.proto 28 | +++ b/proto/cosmwasm/wasm/v1/query.proto 29 | @@ -50,7 +50,6 @@ service Query { 30 | // SmartContractState get smart query result from the contract 31 | rpc SmartContractState(QuerySmartContractStateRequest) 32 | returns (QuerySmartContractStateResponse) { 33 | - option (cosmos.query.v1.module_query_safe) = true; 34 | option (google.api.http).get = 35 | "/cosmwasm/wasm/v1/contract/{address}/smart/{query_data}"; 36 | } 37 | ``` 38 | 2. Regenerate the protobuf files (`.pb.go`) 39 | 40 | ## Applying the patch 41 | 42 | The patch will be shipped in a wasmd release. You can update more or less as follows: 43 | 44 | 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 45 | 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.0; `go mod tidy`; commit. 46 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. 47 | 4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.0. 48 | 5. Follow your regular practices to deploy chain upgrades. 49 | 50 | ## Acknowledgement 51 | 52 | This issue was found by [amimart](https://github.com/amimart) who reported it to the 53 | Cosmos Bug Bounty Program on HackerOne. 54 | 55 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 56 | program by reporting a bug, please see . 57 | 58 | ## Timeline 59 | 60 | - 2024-07-25: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. 61 | - 2024-08-13: Confio developed the patch internally. 62 | - 2024-08-19: Patch release announced though notifications list. 63 | - 2024-08-20: Patch release announced on X: . 64 | - 2024-08-21: Patch released. 65 | 66 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 67 | -------------------------------------------------------------------------------- /CWAs/CWA-2024-007.md: -------------------------------------------------------------------------------- 1 | # CWA-2024-007: Incorrect metering 2 | 3 | **Severity** 4 | 5 | Medium (Moderate + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmvm >= 2.1.0, < 2.1.3 10 | - wasmvm >= 2.0.0, < 2.0.4 11 | - wasmvm < 1.5.5 12 | - cosmwasm-vm >= 2.1.0, < 2.1.4 13 | - cosmwasm-vm >= 2.0.0, < 2.0.7 14 | - cosmwasm-vm < 1.5.8 15 | 16 | **Patched versions:** 17 | 18 | - wasmvm 1.5.5, 2.0.4, 2.1.3 19 | - cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 20 | 21 | ## Description of the bug 22 | 23 | Incorrect tracking of gas in Wasmer can lead to a contract consuming much more CPU time than it should be allowed to, 24 | given our [gas target](https://github.com/CosmWasm/cosmwasm/blob/e50490c4199a234200a497219b27f071c3409f58/docs/GAS.md#cosmwasm-gas-pricing). 25 | This can be used to temporarily DoS a chain by stalling block production. 26 | 27 | We have written an [in-depth article](https://medium.com/cosmwasm/metering-is-hard-cosmwasm-security-issues-explained-a797511cd54e) about this issue. 28 | 29 | ## Patch 30 | 31 | - 1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea 32 | - 2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9 33 | - 2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492 34 | 35 | ## Applying the patch 36 | 37 | The patch will be shipped in releases of wasmvm. You can update more or less as follows: 38 | 39 | 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 40 | 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; `go mod tidy`; commit. 41 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. 42 | 4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.5, 2.0.4, 2.1.3. 43 | 5. Follow your regular practices to deploy chain upgrades. 44 | 45 | To double check if the correct library version is loaded at runtime, use this query: 46 | ` query wasm libwasmvm-version`. It must show 1.5.5, 2.0.4 or 2.1.3. 47 | 48 | The patch is consensus breaking and requires a coordinated upgrade. 49 | 50 | ## Acknowledgement 51 | 52 | This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne. 53 | 54 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 55 | program by reporting a bug, please see . 56 | 57 | ## Timeline 58 | 59 | - 2024-08-28: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. 60 | - 2024-08-30: Confio security contributors confirm the report. 61 | - 2024-09-02: Confio developed the patch internally. 62 | - 2024-09-23: Patch is released. 63 | 64 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 65 | -------------------------------------------------------------------------------- /CWAs/CWA-2024-008.md: -------------------------------------------------------------------------------- 1 | # CWA-2024-008: Panic in wasmvm can slow down block production 2 | 3 | **Severity** 4 | 5 | Medium (Moderate + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmvm >= 2.1.0, < 2.1.3 10 | - wasmvm >= 2.0.0, < 2.0.4 11 | - wasmvm < 1.5.5 12 | - cosmwasm-vm >= 2.1.0, < 2.1.4 13 | - cosmwasm-vm >= 2.0.0, < 2.0.7 14 | - cosmwasm-vm < 1.5.8 15 | 16 | **Patched versions:** 17 | 18 | - wasmvm 1.5.5, 2.0.4, 2.1.3 19 | - cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 20 | 21 | ## Description of the bug 22 | 23 | A contract can prevent gas from being reported back to the chain by causing a panic in the host, 24 | which means it can consume lots of CPU time without paying gas. 25 | This can be used to DoS a chain by stalling block production. 26 | 27 | We have written an [in-depth article](https://medium.com/cosmwasm/metering-is-hard-cosmwasm-security-issues-explained-a797511cd54e) about this issue. 28 | 29 | ## Patch 30 | 31 | - 1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd 32 | - 2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4 33 | - 2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb 34 | 35 | ## Applying the patch 36 | 37 | The patch will be shipped in releases of wasmvm. You can update more or less as follows: 38 | 39 | 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 40 | 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; `go mod tidy`; commit. 41 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. 42 | 4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.5, 2.0.4, 2.1.3. 43 | 5. Follow your regular practices to deploy chain upgrades. 44 | 45 | To double check if the correct library version is loaded at runtime, use this query: 46 | ` query wasm libwasmvm-version`. It must show 1.5.5, 2.0.4 or 2.1.3. 47 | 48 | The patch is consensus breaking and requires a coordinated upgrade. 49 | 50 | ## Acknowledgement 51 | 52 | This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne. 53 | 54 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 55 | program by reporting a bug, please see . 56 | 57 | ## Timeline 58 | 59 | - 2024-08-22: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. 60 | - 2024-08-23: Confio security contributors confirm the report. 61 | - 2024-09-09: Confio developed the patch internally. 62 | - 2024-09-23: Patch is released. 63 | 64 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 65 | -------------------------------------------------------------------------------- /CWAs/CWA-2024-009.md: -------------------------------------------------------------------------------- 1 | # CWA-2024-009 2 | 3 | **Severity** 4 | 5 | Low (Marginal + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmd > 0.40.0, < 0.53.1 10 | - wasmd < 0.34.1 11 | 12 | **Patched versions:** 13 | 14 | - wasmd 0.53.2 (please note that wasmd 0.53.1 is broken and must not be used) 15 | - wasmd 0.34.1 16 | 17 | ## Description of the bug 18 | 19 | (Blank for now. We'll add more detail once chains had a chance to upgrade.) 20 | 21 | ## Mitigations 22 | 23 | Apart from upgrading, it is recommended to **not** open the gRPC and REST APIs of _validator_ nodes to the public internet. Use isolated and resource-constrained environments for running separate public RPC nodes instead. 24 | These can then easily be thrown away and replaced with new instances in case of problems. 25 | 26 | ## Patch 27 | 28 | The patch requires upgrading wasmvm to 1.5.7, 2.0.5 or 2.1.4 and then apply this diff for Cosmos SDK 0.50 chains:
29 | https://github.com/CosmWasm/wasmd/compare/80760aea336f0f1ad34756b0f03267d98cac6a04...v0.53.2 30 | or this diff for chains using an older Cosmos SDK:
31 | https://github.com/CosmWasm/wasmd/compare/96634f38903fa31e54f49a00018613cd9a29598e...v0.34.1 32 | 33 | ## Applying the patch 34 | 35 | ### Official Wasmd patch 36 | 37 | The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. 38 | If you already use the latest / close to latest wasmd, you can update more or less as follows: 39 | 40 | 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 41 | 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.2 (Cosmos SDK 0.50 compatible); `go mod tidy`; commit. 42 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. 43 | 4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.2. 44 | 5. Follow your regular practices to deploy chain upgrades. 45 | 46 | To double check if the correct library version is loaded at runtime, use this query: 47 | ` query wasm libwasmvm-version`. It must show 2.1.4. 48 | 49 | The patch is not consensus breaking _if you are already using wasmvm 2.1.3_. 50 | If you are instead using wasmvm 2.1.2, then upgrading to 2.1.4 includes the consensus breaking changes of 2.1.3. 51 | 52 | ### DIY Patch 53 | 54 | If you are unable to upgrade to the latest version, you can backport the wasmd patch to your version. The patch is available at [Wasmd 0.53.2](https://github.com/CosmWasm/wasmd/compare/v0.53.0...v0.53.2) and at [Wasmd 0.34.1](https://github.com/CosmWasm/wasmd/compare/v0.34.0...v0.34.1). 55 | However, if you are on a different version of wasmd, you will also be using a different version of wasmvm. We provide the required patches for wasmvm in versions 2.1.4, 2.0.5, 1.5.7. 56 | To upgrade using this method: 57 | 58 | 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and upgrade 59 | to the closest patched version. 60 | 2. Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to the closest compatible patched version (either 2.1.4, 2.0.5 or 1.5.7); go mod tidy; commit. 61 | 3. Apply the patch linked above to your version of wasmd. 62 | 4. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. 63 | 5. Follow your regular practices to deploy chain upgrades. 64 | 65 | To double check if the correct library version is loaded at runtime, use this query: 66 | ` query wasm libwasmvm-version`. It must show 2.1.4, 2.0.5 or 1.5.7 and must be the same as the wasmvm version in your go.sum. 67 | 68 | The patch is not consensus breaking as long as you were using the previous patch version of wasmvm before. 69 | 70 | ## Acknowledgement 71 | 72 | This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne. 73 | 74 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 75 | program by reporting a bug, please see . 76 | 77 | ## Timeline 78 | 79 | - 2024-09-25: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. 80 | - 2024-09-30: Confio security contributors confirm the report. 81 | - 2024-11-21: Confio developed the patch internally. 82 | - 2024-12-06: Patch release is pre-announced through notification lists. 83 | - 2024-12-10: Patch released. 84 | 85 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 86 | -------------------------------------------------------------------------------- /CWAs/CWA-2025-001.md: -------------------------------------------------------------------------------- 1 | # CWA-2025-001: Malicious smart contract can crash the chain 2 | 3 | **Severity** 4 | 5 | Medium (Moderate + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmvm >= 2.2.0, < 2.2.2 10 | - wasmvm >= 2.1.0, < 2.1.5 11 | - wasmvm >= 2.0.0, < 2.0.6 12 | - wasmvm < 1.5.8 13 | 14 | **Patched versions:** 15 | 16 | - wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 17 | 18 | ## Description of the bug 19 | 20 | The vulnerability can be used to crash the chain. The underlying bug that causes this is present on both permissioned and premissionless chains, but it can only be triggered _reliably_ with a malicious contract, so permissioned chains are much less likely to be affected. 21 | 22 | (We'll add more detail once chains had a chance to upgrade.) 23 | 24 | ## Patch 25 | 26 | - 1.5: https://github.com/CosmWasm/wasmvm/commit/1151bc6df7d02d1889b8da37cf8510eaf4198eea 27 | - 2.0: https://github.com/CosmWasm/wasmvm/commit/d4ff2adee44e6b9f7415a5dfbb3de745ab9b7678 28 | - 2.1: https://github.com/CosmWasm/wasmvm/commit/8d44a286fabc793a2fba93752e58cd0fd5b88a2d 29 | - 2.2: https://github.com/CosmWasm/wasmvm/commit/0aefa4c378457aeb3c07e7975b875be38872c56d 30 | 31 | ## Applying the patch 32 | 33 | The patch will be shipped in releases of wasmvm. You can update more or less as follows: 34 | 35 | 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 36 | 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to one of the patched version 37 | depending on which minor version you are on; `go mod tidy`; commit. 38 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. 39 | 4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2. 40 | 5. Follow your regular practices to deploy chain upgrades. 41 | 42 | While the fix for this issue is not consensus breaking, the patch contains another 43 | consensus breaking fix and requires a coordinated upgrade. 44 | 45 | ## Acknowledgement 46 | 47 | This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne. 48 | 49 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 50 | program by reporting a bug, please see . 51 | 52 | ## Timeline 53 | 54 | - 2024-11-25: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. 55 | - 2024-11-28: Confio security contributors confirm the report. 56 | - 2024-11-28: Confio developed the patch internally. 57 | - 2025-02-04: Patch gets released. 58 | 59 | [^1]: following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md 60 | -------------------------------------------------------------------------------- /CWAs/CWA-2025-002.md: -------------------------------------------------------------------------------- 1 | # CWA-2025-002: Malicious smart contract can slow down block production 2 | 3 | **Severity** 4 | 5 | Medium (Moderate + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmvm >= 2.2.0, < 2.2.2 10 | - wasmvm >= 2.1.0, < 2.1.5 11 | - wasmvm >= 2.0.0, < 2.0.6 12 | - wasmvm < 1.5.8 13 | 14 | **Patched versions:** 15 | 16 | - wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 17 | 18 | ## Description of the bug 19 | 20 | The vulnerability can be used to slow down block production. The attack requires a malicious contract, 21 | so permissioned chains are unlikely to be affected. 22 | 23 | (We'll add more detail once chains had a chance to upgrade.) 24 | 25 | ## Patch 26 | 27 | - 1.5: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27 28 | - 2.0: https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b 29 | - 2.1: https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58 30 | - 2.2: https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0 31 | 32 | ## Applying the patch 33 | 34 | The patch will be shipped in releases of wasmvm. You can update more or less as follows: 35 | 36 | 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 37 | 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to one of the patched version 38 | depending on which minor version you are on; `go mod tidy`; commit. 39 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. 40 | 4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2. 41 | 5. Follow your regular practices to deploy chain upgrades. 42 | 43 | The patch is consensus breaking and requires a coordinated upgrade. 44 | 45 | ## Acknowledgement 46 | 47 | This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne. 48 | 49 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 50 | program by reporting a bug, please see . 51 | 52 | ## Timeline 53 | 54 | - 2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. 55 | - 2024-12-20: Confio security contributors confirm the report. 56 | - 2024-01-27: Confio developed the patch internally. 57 | - 2025-02-04: Patch gets released. 58 | 59 | [^1]: following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md 60 | -------------------------------------------------------------------------------- /CWAs/CWA-2025-003.md: -------------------------------------------------------------------------------- 1 | # CWA-2025-003: Smart contract can cause consensus failures for some nodes 2 | 3 | **Severity** 4 | 5 | Low (Marginal + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmvm 2.2.2 10 | - wasmvm 2.1.5 11 | - wasmvm 2.0.6 (unsupported) 12 | - wasmvm 1.5.8 13 | 14 | **Patched versions:** 15 | 16 | - wasmvm 1.5.9, 2.1.6, 2.2.3 17 | 18 | ## Description of the bug 19 | 20 | When running into it, the vulnerability will cause nodes running with the `--trace` flag to run into consensus failure. 21 | Running into this issue does _not_ require a malicious contract and can happen by accident with non-malicious contracts. 22 | It can happen on both permissioned and permissionless chains. 23 | 24 | ## Mitigations 25 | 26 | Do not run nodes (especially validator nodes) with the `--trace` flag (or run all of them with the flag enabled). 27 | Alternatively, upgrade to a patched version once it is released. 28 | 29 | ## Applying the patch 30 | 31 | The patch will be shipped in releases of wasmvm. You can update more or less as follows: 32 | 33 | 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 34 | 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to one of the patched version 35 | depending on which minor version you are on; `go mod tidy`; commit. 36 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. 37 | 4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.9, 2.1.6 or 2.2.3. 38 | 5. Follow your regular practices to deploy chain upgrades. 39 | 40 | The patch is consensus breaking and requires a coordinated upgrade. 41 | 42 | ## Acknowledgement 43 | 44 | [pinosu] from Confio first found this on Neutron and reported it to the Neutron team. 45 | After some investigation, Sergey Golyshkin from the Neutron team figured out that this is 46 | caused by CosmWasm and reported this back to Confio. 47 | The same issue was later reported by a member of the Injective community. Thank you! 48 | 49 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 50 | program by reporting a bug, please see . 51 | 52 | ## Timeline 53 | 54 | - 2025-02-17: Confio finds the issue and reports it to the Neutron team. 55 | - 2025-02-19: Neutron does some testing and points out the problematic part of the CosmWasm code. 56 | - 2025-03-03: Confio developed the patch internally. 57 | - 2025-03-05: Patch gets released. 58 | 59 | [pinosu]: https://github.com/pinosu 60 | 61 | [^1]: following Amulet's Severity Classification Framework ACMv1.2: 62 | -------------------------------------------------------------------------------- /CWAs/CWA-2025-004.md: -------------------------------------------------------------------------------- 1 | # CWA-2025-004: Sub-context gas not consumed on non-OutOfGas panics 2 | 3 | **Severity** 4 | 5 | Low (Marginal + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmd 0.60.0 10 | - wasmd >= 0.40.0 < 0.55.1 11 | - wasmd < 0.34.2 12 | 13 | **Patched versions:** 14 | 15 | - wasmd 0.60.1, 0.55.1, 0.54.1, 0.53.3, 0.34.2 16 | 17 | ## Description of the bug 18 | 19 | In very specific cases, a sub-message can avoid paying gas and end the transaction. 20 | To our knowledge, this cannot be used to consume more than the gas limit. 21 | 22 | ## Patch 23 | 24 | https://github.com/CosmWasm/wasmd/compare/0c86c4fbbcb4e7ef60e73865d8654b840d88d419...4ec25764f9a4ec81324783ac30273cf67b6b3b27 25 | (for wasmd 0.60) 26 | 27 | ## Applying the patch 28 | 29 | The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. 30 | If you already use the latest / close to latest wasmd, you can update more or less as follows: 31 | 32 | 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 33 | 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.60.1 (Cosmos SDK 0.53 compatible), 0.55.1 (Cosmos SDK 0.50 compatible), 0.54.1, 0.53.3 or 0.34.2 (Cosmos SDK 0.45 compatible); `go mod tidy`; commit. 34 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. 35 | 4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.60.1, 0.55.1, 0.54.1, 0.53.3 or 0.34.2. 36 | 5. Follow your regular practices to deploy chain upgrades. 37 | 38 | The patch is consensus breaking. 39 | 40 | ## Acknowledgement 41 | 42 | This problem was discovered during an audit of the CosmWasm stack performed by Sherlock and funded by ICF/ICL in Q1 2025. Thank you for that work! 43 | 44 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 45 | program by reporting a bug, please see . 46 | 47 | ## Timeline 48 | 49 | - 2025-03-01: Auditor informs Confio about this issue. 50 | - 2025-03-28: Confio developed the patch internally. 51 | - 2025-06-05: Upcoming patch is announced. 52 | - 2025-06-10: Patch is released. 53 | 54 | [^1]: following Amulet's Severity Classification Framework ACMv1.2: 55 | -------------------------------------------------------------------------------- /CWAs/CWA-2025-005.md: -------------------------------------------------------------------------------- 1 | # CWA-2025-005: Missing contract setup cost for IBC entrypoints 2 | 3 | **Severity** 4 | 5 | Medium (Moderate + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmd 0.60.0 10 | - wasmd >= 0.40.0 < 0.55.1 11 | - wasmd < 0.34.2 12 | 13 | **Patched versions:** 14 | 15 | - wasmd 0.60.1, 0.55.1, 0.54.1, 0.53.3, 0.34.2 16 | 17 | ## Description of the bug 18 | 19 | The IBC entrypoints do not charge contract setup cost, potentially allowing a contract to 20 | cause more node work than it should be able to. The exact extent of the impact is unknown. 21 | Permissioned chains are most likely not affected. 22 | 23 | ## Patch 24 | 25 | https://github.com/CosmWasm/wasmd/compare/85a8508e85be0d435a09346505321d4e26c0d441...bb4b7c41c0e334f31459653c8bdc6e8468490e49 + [wasmvm update](https://github.com/CosmWasm/wasmd/pull/2279) 26 | (for wasmd 0.60) 27 | 28 | ## Applying the patch 29 | 30 | The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. 31 | If you already use the latest / close to latest wasmd, you can update more or less as follows: 32 | 33 | 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 34 | 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.60.1 (Cosmos SDK 0.53 compatible), 0.55.1 (Cosmos SDK 0.50 compatible), 0.54.1, 0.53.3 or 0.34.2 (Cosmos SDK 0.45 compatible); `go mod tidy`; commit. 35 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. 36 | 4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.60.1, 0.55.1, 0.54.1, 0.53.3 or 0.34.2. 37 | 5. Follow your regular practices to deploy chain upgrades. 38 | 39 | The patch is consensus breaking. 40 | 41 | ## Acknowledgement 42 | 43 | This problem was discovered during an audit of the CosmWasm stack performed by Sherlock and funded by ICF/ICL in Q1 2025. Thank you for that work! 44 | 45 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 46 | program by reporting a bug, please see . 47 | 48 | ## Timeline 49 | 50 | - 2025-02-27: Auditor informs Confio about this issue. 51 | - 2025-04-24: Confio developed the patch internally. 52 | - 2025-06-05: Upcoming patch is announced. 53 | - 2025-06-10: Patch is released. 54 | 55 | [^1]: following Amulet's Severity Classification Framework ACMv1.2: 56 | -------------------------------------------------------------------------------- /CWAs/CWA-2025-006.md: -------------------------------------------------------------------------------- 1 | # CWA-2025-006: Improper error handling may lead to IBC channel opening despite error 2 | 3 | **Severity** 4 | 5 | High (Considerable + Likely)[^1] 6 | 7 | **Affected versions:** 8 | 9 | - wasmd 0.60.0 10 | - wasmd >= 0.51.0 < 0.55.1 11 | 12 | **Patched versions:** 13 | 14 | - wasmd 0.60.1, 0.55.1, 0.54.1, 0.53.3 15 | 16 | ## Description of the bug 17 | 18 | A contract erroring during IBC channel opening does not prevent the channel from opening. 19 | 20 | ## Patch 21 | 22 | https://github.com/CosmWasm/wasmd/compare/4ec25764f9a4ec81324783ac30273cf67b6b3b27...85a8508e85be0d435a09346505321d4e26c0d441 23 | (for wasmd 0.60) 24 | 25 | ## Applying the patch 26 | 27 | The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. 28 | If you already use the latest / close to latest wasmd, you can update more or less as follows: 29 | 30 | 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 31 | 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.60.1 (Cosmos SDK 0.53 compatible), 0.55.1 (Cosmos SDK 0.50 compatible), 0.54.1 or 0.53.3; `go mod tidy`; commit. 32 | 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. 33 | 4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.60.1, 0.55.1, 0.54.1 or 0.53.3. 34 | 5. Follow your regular practices to deploy chain upgrades. 35 | 36 | The patch is consensus breaking. 37 | 38 | ## Acknowledgement 39 | 40 | This problem was discovered during an audit of the CosmWasm stack performed by Sherlock and funded by ICF/ICL in Q1 2025. Thank you for that work! 41 | 42 | If you believe you have found a bug in the Interchain Stack or would like to contribute to the 43 | program by reporting a bug, please see . 44 | 45 | ## Timeline 46 | 47 | - 2025-03-03: Auditor informs Confio about this issue. 48 | - 2025-04-10: Confio developed the patch internally. 49 | - 2025-06-05: Upcoming patch is announced. 50 | - 2025-06-10: Patch is released. 51 | 52 | [^1]: following Amulet's Severity Classification Framework ACMv1.2: 53 | -------------------------------------------------------------------------------- /CWAs/README.md: -------------------------------------------------------------------------------- 1 | # Index of CosmWasm Advisories 2 | 3 | ## 2025 4 | 5 | | Severity[^1] | Scope[^2] | ID | Aliases | 6 | | ------------ | --------- | --------------------------------------------------------------------------------------------------- | --------------------- | 7 | | High | x/wasm | [CWA-2025-006: Improper error handling may lead to IBC channel opening despite error][CWA-2025-006] | | 8 | | Medium | x/wasm | [CWA-2025-005: Missing contract setup cost for IBC entrypoints][CWA-2025-005] | | 9 | | Low | x/wasm | [CWA-2025-004: Sub-context gas not consumed on non-OutOfGas panics][CWA-2025-004] | | 10 | | Low | VM | [CWA-2025-003: Smart contract can cause consensus failures for some nodes][CWA-2025-003] | | 11 | | Medium | VM | [CWA-2025-002: Malicious smart contract can slow down block production][CWA-2025-002] | [GHSA-mx2j-7cmv-353c] | 12 | | Medium | VM | [CWA-2025-001: Malicious smart contract can crash the chain][CWA-2025-001] | [GHSA-23qp-3c2m-xx6w] | 13 | 14 | [CWA-2025-006]: ./CWA-2025-006.md 15 | [CWA-2025-005]: ./CWA-2025-005.md 16 | [CWA-2025-004]: ./CWA-2025-004.md 17 | [CWA-2025-003]: ./CWA-2025-003.md 18 | [CWA-2025-002]: ./CWA-2025-002.md 19 | [CWA-2025-001]: ./CWA-2025-001.md 20 | [GHSA-mx2j-7cmv-353c]: https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-mx2j-7cmv-353c 21 | [GHSA-23qp-3c2m-xx6w]: https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-23qp-3c2m-xx6w 22 | 23 | ## 2024 24 | 25 | | Severity[^1] | Scope[^2] | ID | Aliases | 26 | | ------------ | --------- | ---------------------------------------------------------------------------- | ------------------------------------------ | 27 | | Low | VM | [CWA-2024-009][CWA-2024-009] | [GHSA-vmg2-r3xv-r3xf] | 28 | | Medium | VM | [CWA-2024-008: Panic in wasmvm can slow down block production][CWA-2024-008] | [GHSA-vmqh-5232-v43r] | 29 | | Medium | VM | [CWA-2024-007: Incorrect metering][CWA-2024-007] | [GHSA-2q97-m5rc-p3gp] | 30 | | Medium | x/wasm | [CWA-2024-006: Non-deterministic module_query_safe query][CWA-2024-006] | [GHSA-fpgj-cr28-fvpx] | 31 | | High | x/wasm | [CWA-2024-005: Stackoverflow in wasmd][CWA-2024-005] | [GHSA-g8w7-7vgg-x7xg] | 32 | | Medium | VM | [CWA-2024-004: Gas mispricing in cosmwasm-vm][CWA-2024-004] | [RUSTSEC-2024-0361], [GHSA-rg2q-2jh9-447q] | 33 | | Low | x/wasm | [CWA-2024-003: Large address count in ValidateBasic][CWA-2024-003] | [GHSA-m3rh-cvr5-x6q4] | 34 | | Medium | Contracts | [CWA-2024-002: Arithmetic overflows in cosmwasm-std][CWA-2024-002] | [RUSTSEC-2024-0338], [GHSA-8724-5xmm-w5xq] | 35 | | Low | Contracts | [CWA-2024-001: Stack overflow in serde-json-wasm][CWA-2024-001] | [RUSTSEC-2024-0012], [GHSA-rr69-rxr6-8qwf] | 36 | 37 | [CWA-2024-009]: ./CWA-2024-009.md 38 | [CWA-2024-008]: ./CWA-2024-008.md 39 | [CWA-2024-007]: ./CWA-2024-007.md 40 | [CWA-2024-006]: ./CWA-2024-006.md 41 | [CWA-2024-005]: ./CWA-2024-005.md 42 | [CWA-2024-004]: ./CWA-2024-004.md 43 | [CWA-2024-003]: ./CWA-2024-003.md 44 | [CWA-2024-002]: ./CWA-2024-002.md 45 | [CWA-2024-001]: ./CWA-2024-001.md 46 | [RUSTSEC-2024-0338]: https://rustsec.org/advisories/RUSTSEC-2024-0338.html 47 | [RUSTSEC-2024-0012]: https://rustsec.org/advisories/RUSTSEC-2024-0012.html 48 | [RUSTSEC-2024-0361]: https://rustsec.org/advisories/RUSTSEC-2024-0361.html 49 | [GHSA-8724-5xmm-w5xq]: https://github.com/advisories/GHSA-8724-5xmm-w5xq 50 | [GHSA-rr69-rxr6-8qwf]: https://github.com/advisories/GHSA-rr69-rxr6-8qwf 51 | [GHSA-rg2q-2jh9-447q]: https://github.com/advisories/GHSA-rg2q-2jh9-447q 52 | [GHSA-m3rh-cvr5-x6q4]: https://github.com/advisories/GHSA-m3rh-cvr5-x6q4 53 | [GHSA-g8w7-7vgg-x7xg]: https://github.com/advisories/GHSA-g8w7-7vgg-x7xg 54 | [GHSA-fpgj-cr28-fvpx]: https://github.com/advisories/GHSA-fpgj-cr28-fvpx 55 | [GHSA-2q97-m5rc-p3gp]: https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-2q97-m5rc-p3gp 56 | [GHSA-vmqh-5232-v43r]: https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-vmqh-5232-v43r 57 | [GHSA-vmg2-r3xv-r3xf]: https://github.com/CosmWasm/wasmd/security/advisories/GHSA-vmg2-r3xv-r3xf 58 | 59 | ## 2023 60 | 61 | | Severity[^1] | Scope[^2] | ID | 62 | | ------------ | --------- | ------------------------------------------------------------------------------------- | 63 | | High | VM | [CWA-2023-004: Excessive number of function paramters in compiled Wasm][CWA-2023-004] | 64 | | Medium | x/wasm | [CWA-2023-003: Inefficient ListChannels query implementation][CWA-2023-003] | 65 | | | VM | [CWA-2023-002: Stack overflow crash (Codename Cherry)][CWA-2023-002] | 66 | | | VM | [CWA-2023-001: Potential overflow in cache statistics][CWA-2023-001] | 67 | 68 | [CWA-2023-004]: ./CWA-2023-004.md 69 | [CWA-2023-003]: ./CWA-2023-003.md 70 | [CWA-2023-002]: ./CWA-2023-002.md 71 | [CWA-2023-001]: ./CWA-2023-001.md 72 | 73 | ## 2022 74 | 75 | | Severity[^1] | Scope[^2] | ID | 76 | | ------------ | --------- | -------------------------------------------------------------------------------------- | 77 | | | x/wasm | [CWA-2022-005: Denial of service through predictable contract addresses][CWA-2022-005] | 78 | | | x/wasm | [CWA-2022-004: Unlimited query stack][CWA-2022-004] | 79 | | | x/wasm | [CWA-2022-003: Nondeterministic Stargate queries][CWA-2022-003] | 80 | | | VM | [CWA-2022-002: Non-normalized bech32 casing in Addr type][CWA-2022-002] | 81 | | | x/wasm | [CWA-2022-001: Non-deterministic queries][CWA-2022-001] | 82 | 83 | [CWA-2022-005]: ./CWA-2022-005.md 84 | [CWA-2022-004]: ./CWA-2022-004.md 85 | [CWA-2022-003]: ./CWA-2022-003.md 86 | [CWA-2022-002]: ./CWA-2022-002.md 87 | [CWA-2022-001]: ./CWA-2022-001.md 88 | 89 | ## 2021 90 | 91 | | Severity[^1] | Scope[^2] | ID | 92 | | ------------ | --------- | ------------------------------------------------------------------------------------------- | 93 | | | VM | [CWA-2021-003: Nondeterministic stacktrace in VmError][CWA-2021-003] | 94 | | | | CWA-2021-002: reserved | 95 | | | VM | [CWA-2021-001: Logic error in none handling in copyAndDestroyUnmanagedVector][CWA-2021-001] | 96 | 97 | [CWA-2021-003]: ./CWA-2021-003.md 98 | [CWA-2021-002]: ./CWA-2021-002.md 99 | [CWA-2021-001]: ./CWA-2021-001.md 100 | 101 | [^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md 102 | 103 | [^2]: Contracts: everything compiled into Wasm (comswasm-std, other contract libraries); VM: everything executing contracts (cosmwasm-vm, wasmvm); x/wasm: integration of the VM into the chain (wasmd) 104 | -------------------------------------------------------------------------------- /NOTIFICATION_LIST.md: -------------------------------------------------------------------------------- 1 | # Notification List for CosmWasm Advisories 2 | 3 | Add your project here via a PR if you want to get notified. 4 | See README.md for what this is all about. 5 | 6 | | Project name | SECURITY.md | Has email\* | 7 | | -------------- | ---------------------------------------------------------------------------------------------------- | ----------- | 8 | | Archway | [SECURITY.md](https://github.com/archway-network/archway/security/policy) | ✅ | 9 | | Aura Network | [SECURITY.md](https://github.com/aura-nw/aura/blob/main/SECURITY.md) | ✅ | 10 | | Axelar Network | [SECURITY.md](https://github.com/axelarnetwork/axelar-core/blob/main/SECURITY.md) | ✅ | 11 | | BabylonChain | [SECURITY.md](https://github.com/babylonlabs-io/babylon/blob/main/SECURITY.md) | ✅ | 12 | | Comdex | [SECURITY.md](https://github.com/comdex-official/comdex/blob/development/SECURITY.md) | ✅ | 13 | | Coreum | [SECURITY.md](https://github.com/CoreumFoundation/coreum/blob/master/SECURITY.md) | ✅ | 14 | | Cosmos Hub | [SECURITY.md](https://github.com/cosmos/gaia/blob/main/SECURITY.md) | ✅ | 15 | | Desmos | [SECURITY.md](https://github.com/desmos-labs/desmos/blob/master/SECURITY.md) | ✅ | 16 | | Firmachain | [SECURITY.md](https://github.com/FirmaChain/firmachain/blob/master/SECURITY.md) | ✅ | 17 | | Injective | [SECURITY.md](https://github.com/InjectiveLabs/injective-chain-releases/blob/master/SECURITY.md) | ✅ | 18 | | Jackal | [SECURITY.md](https://github.com/JackalLabs/canine-chain/blob/master/SECURITY.md) | ✅ | 19 | | Juno | [SECURITY.md](https://github.com/CosmosContracts/juno/blob/main/SECURITY.md) | ✅ | 20 | | Migaloo | [SECURITY.md](https://github.com/White-Whale-Defi-Platform/migaloo-chain/blob/main/docs/SECURITY.md) | ✅ | 21 | | Neutron | [SECURITY.md](https://github.com/neutron-org/neutron/blob/main/SECURITY.md) | ✅ | 22 | | Nym | [SECURITY.md](https://github.com/nymtech/nym/blob/develop/SECURITY.md) | ✅ | 23 | | Osmosis | [SECURITY.md](https://github.com/osmosis-labs/osmosis/blob/main/SECURITY.md) | ✅ | 24 | | Persistence | [SECURITY.md](https://github.com/persistenceOne/persistenceCore/blob/master/SECURITY.md) | ✅ | 25 | | Provenance | [SECURITY.md](https://github.com/provenance-io/provenance/blob/main/SECURITY.md) | ✅ | 26 | | Secret Network | [SECURITY.md](https://github.com/scrtlabs/SecretNetwork/blob/master/SECURITY.md) | ✅ | 27 | | SEDA | [SECURITY.md](https://github.com/sedaprotocol/seda-chain/blob/main/SECURITY.md) | ✅ | 28 | | Sei | [SECURITY.md](https://github.com/sei-protocol/sei-chain/blob/main/SECURITY.md) | ✅ | 29 | | Stargaze | [SECURITY.md](https://github.com/public-awesome/stargaze/blob/main/SECURITY.md) | ✅ | 30 | | Stride | [SECURITY.md](https://github.com/Stride-Labs/stride/blob/main/SECURITY.md) | ✅ | 31 | | Terra | [SECURITY.md](https://github.com/terra-money/core/blob/main/SECURITY.md) | | 32 | | XPLA Chain | [SECURITY.md](https://github.com/xpladev/xpla/blob/main/SECURITY.md) | ✅ | 33 | 34 | \* email addresses are the preferred communication channel as they 35 | allow efficient broadcasting. Emails are always sent out first. 36 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CosmWasm Advisories 2 | 3 | We at [Confio](https://confio.gmbh/) love open source! We work in the best intent with a public review process but must accept that software can contain bugs and therefore our code, too. 4 | 5 | In order to help with resolving any issues on production system, we have started the advisories project to link to authorized communication channels of [CosmWasm](https://cosmwasm.com/) blockchains. 6 | Confio will inform the linked chains about **critical issues** reported to us directly on **non-public channels** before opening an issue on our related projects. 7 | Nevertheless, providing this information should not prevent us or anybody else from working on a fix nor block a patch roll out. 8 | This also does not include bugs and issues reported to us publicly via GitHub issues or official discord channels. Chains using our projects are encouraged to **watch the GitHub repos and official channels** on [CosmWasm discord](https://discord.com/invite/cPjEnPd) in order to maintain their own software stack. 9 | 10 | ## Supported projects and version 11 | 12 | - CosmWasm ([cosmwasm-\*](https://github.com/CosmWasm/cosmwasm) and [wasmvm](https://github.com/CosmWasm/wasmvm)) 13 | - ~1.2.x ([until 2023-12-31](https://medium.com/cosmwasm/eol-for-cosmwasm-1-0-1-3-22df4b34b13c))~ 14 | - ~1.3.x ([until 2024-03-31](https://medium.com/cosmwasm/eol-for-cosmwasm-1-0-1-3-22df4b34b13c))~ 15 | - ~1.4.x ([until 2024-07-31](https://medium.com/cosmwasm/cosmwasm-1-5-becomes-long-term-support-lts-version-16632bf06f2a))~ 16 | - ~1.5.x ([until 2025-04-30](https://medium.com/cosmwasm/cosmwasm-2-2-becomes-long-term-support-lts-version-7fdd6a507485))~ 17 | - ~2.0.x ([until 2025-01-31](https://medium.com/cosmwasm/cosmwasm-2-2-becomes-long-term-support-lts-version-7fdd6a507485))~ 18 | - ~2.1.x ([until 2025-01-31](https://medium.com/cosmwasm/cosmwasm-2-2-becomes-long-term-support-lts-version-7fdd6a507485))~ 19 | - 2.2.x 20 | - [wasmd](https://github.com/CosmWasm/wasmd) 21 | - 1.0.x 22 | 23 | ## Criteria to get on the notification list 24 | 25 | - Running CosmWasm projects **on production** or public testnet. 26 | - `SECURITY.md` placed in your main repo and main branch with contact details and infos on your disclosure process. 27 | - Commitment to share issues and bugs with Confio and the CosmWasm community. 28 | 29 | If your project meets these criteria, please submit a PR to add your chain to the list below. 30 | 31 | ## Disclaimer 32 | 33 | We likely will not have capacity to maintain this service for all versions and projects forever. 34 | 35 | So we want to keep the right to: 36 | 37 | - modify this document, 38 | - add/remove project and versions, 39 | - change the criteria and revisit the listed members, 40 | - not accept every application. 41 | 42 | ## Notification list 43 | 44 | See [NOTIFICATION_LIST.md](NOTIFICATION_LIST.md) 45 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | This is a shared security policy for the CosmWasm stack, including the following repositories: 4 | 5 | - Execution environment 6 | - [cosmwasm] 7 | - [wasmvm] 8 | - [wasmd] 9 | - Standard library dependencies 10 | - [serde-json-wasm] 11 | - Libraries for building contracts 12 | - [cw-plus] 13 | - [cw-storage-plus] 14 | - [cw-utils] 15 | - Build tools 16 | - [rust-optimizer] 17 | 18 | ## Reporting a Vulnerability 19 | 20 | There are three ways to report a security issue 21 | 22 | | | Cosmos HackerOne Bug Bounty program | security@interchain.io | security@confio.gmbh | 23 | | ------------------- | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 24 | | Maintained by | Interchain Labs | Interchain Labs | Confio | 25 | | Eligible for bounty | yes | no | no | 26 | | Reporting link | | [security@interchain.io](mailto:security@interchain.io) | [security@confio.gmbh](mailto:security@confio.gmbh) | 27 | | Reporter management | professional communication | professional communication | best effort | 28 | | Details | See program details at | If you prefer to report an issue via email, you may send a bug report to security@interchain.io with the issue details, reproduction, impact, and other information. Please submit only one unique email thread per vulnerability. Any issues reported via email are ineligible for bounty rewards. | You will receive a response from us within 4 working days confirming that a human read your email. If you do not hear back within 1 week, feel free to send a reminder or try to notify core team members via different channels. | 29 | 30 | Please only choose one. In all cases the analysis and fixing of the issue will be performed by Confio. 31 | 32 | Within a few days we try to reproduce the issue and confirm it. After that we work on a patch and a release strategy. Experience shows the later part is harder than the actual patch as we need to evaluate which versions are affected, for which versions a patch is provided, if that patch is consensus or state breaking and how users can apply the patch. This part can take a few days up to multiple weeks. 33 | 34 | Please avoid opening public issues on GitHub that contains information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues. 35 | 36 | ## Supported Versions 37 | 38 | The supported versions are described in more detail in the individual repositories. This is a summary: 39 | 40 | - CosmWasm ([cosmwasm-\*][cosmwasm] and [wasmvm]) 41 | - 1.2.x ([until 2023-12-31](https://medium.com/cosmwasm/eol-for-cosmwasm-1-0-1-3-22df4b34b13c)) 42 | - 1.3.x ([until 2024-03-31](https://medium.com/cosmwasm/eol-for-cosmwasm-1-0-1-3-22df4b34b13c)) 43 | - 1.4.x 44 | - 1.5.x 45 | - 2.0.x 46 | - [wasmd] 1.x 47 | - [cw-plus], [cw-storage-plus], [cw-utils] 1.x 48 | 49 | ## Coordinated Vulnerability Disclosure Policy 50 | 51 | We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. In addition to this, we ask that you: 52 | 53 | - Allow us a reasonable amount of time to correct or address security vulnerabilities. 54 | - Avoid exploiting any vulnerabilities that you discover. 55 | - Demonstrate good faith by not disrupting or degrading services built on top of this software. 56 | 57 | ## Vulnerability Disclosure Process 58 | 59 | Confio uses the following disclosure process for the various CosmWasm-related repos: 60 | 61 | - Once a security report is received, the core development team works to verify the issue. 62 | - Patches are prepared for eligible releases in private repositories. 63 | - We notify the community that a security release is coming, to give users time to prepare their systems for the update. 64 | - The notification contains the release date and time (72-24 hours after the notification). 65 | - The notification contains as little information as possible, to make it hard for attackers to guess where to search. However, depending on the situation it may contain additional information such as whether the patch will be consensus breaking, or if chains with permissioned CosmWasm integration are equally affected as permissionless chains. 66 | - The projects on the [notification list](https://github.com/CosmWasm/advisories#notification-list) are informed first. Please add yourself via a PR if you want to receive notifications. 67 | - Right after that the notification is publicly broadcast, including Discord messages, tweets, and emails to partners and validators. 68 | - The fixes are applied publicly and new releases are issued. 69 | - Once releases are available, we notify the community, again, through the same channels as above. 70 | - Once the patches have been properly rolled out and no earlier than 7 days after the release, we will publish a post with further details on the vulnerability as well as our response to it. 71 | - Note that we are working on a concept for bug bounties and they are not currently available. 72 | 73 | This process can take some time. Every effort will be made to handle the bug as quickly and thoroughly as possible. However, it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep this codebase and the projects that depend on them secure. 74 | 75 | ### Exceptions 76 | 77 | Please note that issues are considered already disclosed if there is a public patch for it or it is discussed in public (e.g. CWA-2023-001). In those cases the above process does not apply. 78 | An exception can be cases where the fix was well hidden and neither the fix not the public discussion reveals 79 | a vulnerability was patched (e.g. CWA-2022-005). 80 | Advisories are created and published in any case for future reference, giving credit to the people involved and the learning opportunity. 81 | 82 | [cosmwasm]: https://github.com/CosmWasm/cosmwasm 83 | [cw-plus]: https://github.com/CosmWasm/cw-plus 84 | [cw-storage-plus]: https://github.com/CosmWasm/cw-storage-plus 85 | [cw-utils]: https://github.com/CosmWasm/cw-utils 86 | [serde-json-wasm]: https://github.com/CosmWasm/serde-json-wasm 87 | [rust-optimizer]: https://github.com/CosmWasm/rust-optimizer 88 | [wasmd]: https://github.com/CosmWasm/wasmd 89 | [wasmvm]: https://github.com/CosmWasm/wasmvm 90 | -------------------------------------------------------------------------------- /tools/format_md.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -o errexit -o nounset -o pipefail 3 | command -v shellcheck >/dev/null && shellcheck "$0" 4 | 5 | # Running with -c makes the script only validate instead of editing in place. 6 | op="write" 7 | while getopts c option; do 8 | case "${option}" in 9 | c) op="check" ;; 10 | *) ;; 11 | esac 12 | done 13 | 14 | npx prettier@3.5.3 --$op "./**/*.md" 15 | --------------------------------------------------------------------------------