Severity
Medium
Affected versions:
- cosmwasm-std >= 2.0.0, < 2.0.2
- cosmwasm-std >= 1.5.0, < 1.5.4
- cosmwasm-std >= 1.3.0, < 1.4.4
Patched versions: cosmwasm-std 1.4.4, 1.5.4, 2.0.2
Some mathematical operations in cosmwasm-std
use wrapping math instead of
panicking on overflow for very big numbers. This can lead to wrong calculations in contracts
that use these operations.
Affected functions:
Uint{256,512}::pow
/Int{256,512}::pow
Int{256,512}::neg
(the unary negation operator-
). The only value that can overflow isInt{256,512}::MIN
.
Affected if overflow-checks = true
is not set:
Uint{64,128}::pow
/Int{64,128}::pow
Int{64,128}::neg
(the unary negation operator-
). The only value that can overflow isInt{64,128}::MIN
.
- 1.4: https://github.com/CosmWasm/cosmwasm/commit/607e7fc710fb9441096e8edbaa12879b552c8f65
- 1.5: https://github.com/CosmWasm/cosmwasm/commit/eff79bcbe73b61178817aacf0a6449437adad6a9
- 2.0: https://github.com/CosmWasm/cosmwasm/commit/a6a639e09adc355b5f889a09141649005cb08a46
- Run
cargo update -p cosmwasm-std
in your contract's project - Ensure the version of "cosmwasm-std" in
Cargo.lock
is 1.4.4, 1.5.4 or 2.0.2
- 2024-02-26: Confio security contributor finds this issue during testing.
- 2024-02-28: Confio and Amulet meet to discuss the issue and investigate the potential impact.
- 2024-04-16: Confio developed the patch internally.
- 2024-04-22: The upcoming patch is announced through the CosmWasm advisories notification list and publicly on X (https://twitter.com/CosmWasm/status/1782439624608030771).
- 2024-04-24: The patch is released.
- 2024-04-24: RustSec Advisory Database entry created (RUSTSEC-2024-0338)