Severity
Low (Moderate + Unlikely)1
Affected versions:
- wasmd < 0.52.0
Patched versions: wasmd 0.52.0
In multiple wasmd message types it was possible to add a large number of addresses which might lead to unexpected resource consumption in ValidateBasic
.
-
The following message types call assertValidAddresses via
func (a AccessConfig) ValidateBasic() error
to ensure the addresses are in the correct format and do not contain duplicates. An attacker can provide many addresses inAccessConfig.Addresses
and specify theAccessConfig.Permission
asAccessTypeAnyOfAddresses
. -
MsgAddCodeUploadParamsAddresses and MsgRemoveCodeUploadParamsAddresses call the checkDuplicatedAddresses function to ensure the addresses are in the correct format and do not contain duplicates. An attacker can provide many addresses in
msg.Addresses
.
Both cases may leads to a large memory consumption in the map, as well as address validation efforts and a slowdown of map operations.
The number of addresses a malicious actor can insert here is limited by the gas charged
for transaction sizes (x/auth parameter tx_size_cost_per_byte
)
and the block size limit (CometBFT consensus setting max_bytes
).
The new unified validateBech32Addresses
replaces assertValidAddresses
and checkDuplicatedAddresses
. It
- Checks for a min and max element count
- For each element checks
- address validity
- uniqueness
The check in 1. puts an upper bound on the loop in 2. as well as the size of the map index
.
Ensure you use wasmd 0.52 or higher in your Go project:
go list -m github.com/CosmWasm/wasmd
Alternatively you can backport the patch from CosmWasm/wasmd#1926.
This issue was found by Richie who reported it to the Cosmos Bug Bounty Program on HackerOne.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
- 2024-04-21: Bug reported via Cosmos HackerOne
- 2024-04-25: A patch was created internally
- 2024-07-11: The patch is published and released with wasmd 0.52
Footnotes
-
following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md ↩