Affected versions: wasmvm < 1.2.2 (cosmwasm-vm < 1.2.3)
Patched versions: wasmvm 1.2.2 (cosmwasm-vm 1.2.3)
By using unchecked increments in cache statistics
it is possible to trigger an overflow after ~4 billion calls.
Since cosmwasm-vm is compiled with overflow-checks = true in wasmvm, exceeding the uint32 range will lead to panics.
For nodes that are accessible by clients, this can happen in case of excessive external calls.
For nodes that only have cache hits as part of block production, it is unclear if the required numbers of calls can be reached. It might be possible for pinned contracts which have 0 instantiation cost by default.
CosmWasm/cosmwasm#1630 released as part of cosmwasm-vm 1.2.3 and wasmvm 1.2.2.
Chains running wasmvm 1.2.1, you can apply the patch with
go mod edit -replace github.com/CosmWasm/wasmvm=github.com/CosmWasm/wasmvm@v1.2.2Chain running older versions of wasmvm should upgrade to 1.2.1 first.
For unpatched systems it can help to restart nodes regularly in order to make it hard to hit the range limit in practice.
- 2023-03-06: The issue was reported by researchers of Oak Security as part of their work wrapping up the CosmWasm 1.0 audit.
- 2023-03-13: A patch was developed by Confio.
- 2023-03-22: The patch was merged and released as part of cosmwasm-vm 1.2.3.
- 2023-03-27: CosmWasm audit report is published, listing this issue as finding No 1.
- 2023-04-06: wasmvm 1.2.2 was released, including the patch.
- 2023-04-12: Advisory is written
- 2023-04-13: Advisory is published