Skip to content

Latest commit

 

History

History
79 lines (51 loc) · 3.65 KB

CWA-2024-003.md

File metadata and controls

79 lines (51 loc) · 3.65 KB
Raw

CWA-2024-003: Large address count in ValidateBasic

Severity

Low (Moderate + Unlikely)1

Affected versions:

  • wasmd < 0.52.0

Patched versions: wasmd 0.52.0

Description of the bug

In multiple wasmd message types it was possible to add a large number of addresses which might lead to unexpected resource consumption in ValidateBasic.

  1. The following message types call assertValidAddresses via func (a AccessConfig) ValidateBasic() error to ensure the addresses are in the correct format and do not contain duplicates. An attacker can provide many addresses in AccessConfig.Addresses and specify the AccessConfig.Permission as AccessTypeAnyOfAddresses.

  2. MsgAddCodeUploadParamsAddresses and MsgRemoveCodeUploadParamsAddresses call the checkDuplicatedAddresses function to ensure the addresses are in the correct format and do not contain duplicates. An attacker can provide many addresses in msg.Addresses.

Both cases may leads to a large memory consumption in the map, as well as address validation efforts and a slowdown of map operations.

The number of addresses a malicious actor can insert here is limited by the gas charged for transaction sizes (x/auth parameter tx_size_cost_per_byte) and the block size limit (CometBFT consensus setting max_bytes).

Patch

The new unified validateBech32Addresses replaces assertValidAddresses and checkDuplicatedAddresses. It

  1. Checks for a min and max element count
  2. For each element checks
    • address validity
    • uniqueness

The check in 1. puts an upper bound on the loop in 2. as well as the size of the map index.

See CosmWasm/wasmd#1926

Applying the patch

Ensure you use wasmd 0.52 or higher in your Go project: go list -m github.com/CosmWasm/wasmd

Alternatively you can backport the patch from CosmWasm/wasmd#1926.

Acknowledgement

This issue was found by Richie who reported it to the Cosmos Bug Bounty Program on HackerOne.

If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Timeline

  • 2024-04-21: Bug reported via Cosmos HackerOne
  • 2024-04-25: A patch was created internally
  • 2024-07-11: The patch is published and released with wasmd 0.52

Footnotes

  1. following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md