GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production
N/A
CVSS Score
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
-
Published
2/4/2025
Updated
2/6/2025
KEV Status
No
Technology
Rust
Technical Details
CVSS Vector
-
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cosmwasm-vm | rust | = 2.2.0 | 2.2.1 |
| cosmwasm-vm | rust | >= 2.1.0, < 2.1.6 | 2.1.6 |
| cosmwasm-vm | rust | >= 2.0.0, < 2.0.9 | 2.0.9 |
| cosmwasm-vm | rust | < 1.5.10 | 1.5.10 |
| github.com/CosmWasm/wasmvm | go | < 1.5.8 | 1.5.8 |
| github.com/CosmWasm/wasmvm/v2 | go | >= 2.2.0, < 2.2.2 | 2.2.2 |
| github.com/CosmWasm/wasmvm/v2 | go | >= 2.1.0, < 2.1.5 | 2.1.5 |
| github.com/CosmWasm/wasmvm/v2 | go | >= 2.0.0, < 2.0.6 | 2.0.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from insufficient gas metering for memory operations and host calls. Commit diffs show added gas cost fields (read_region_*, string_from_bytes_cost, host_call_cost) and modified LinearGasCost with overflow checks. These changes indicate previous versions lacked proper gas accounting for these operations, enabling resource exhaustion attacks through malicious contracts performing un-metered expensive computations.