Full Report
CosmWasm is a smart contract platform that can be used on Cosmos. This allows for a similar interaction of Solidity based smart contracts on the EVM. Being able to find a denial of service (DoS) within a smart contract platform would be catastrophic. It could be used to stop the chain altogether for each node that was running. To me, it's weird that the virtual machine running the code wouldn't handle the error, toss out the error and move onto the next transaction though. CosmWasm has a several runtime imports. This functions exist to offload expensive operations (like cryptography), perform validations and write state changes. All of these functions use a helper method called write_to_contract() to write error messages to the WASM address space. To do this, write_to_contract() calls allocate. This function allocates a large block of memory in the address space. Normally, this is a standard library from CosmWasm but can be overwritten by a developer. A classic problem that developers run into is recursively calling functions; this creates a stack to deep, otherwise known as a stack overflow. By adding a call to addr_validate() within our custom allocate() function, an infinite recursion call can be created. This is a really simple bug that has horrible consequences. I bet there are many other issues in the layer 1 eco-system on newer blockchains. Just got to go look!
Analysis Summary
# Vulnerability: Infinite Recursion leading to DoS in CosmWasm via custom `allocate`
## CVE Details
- **CVE ID:** CVE-2023-30621
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-674 (Uncontrolled Recursion)
## Affected Systems
- **Products:** CosmWasm (wasmd / cosmwasm-vm)
- **Versions:**
- `wasmd` versions 0.31.0 and earlier.
- `cosmwasm-vm` versions 1.2.2 and earlier.
- **Configurations:** Blockchains utilizing the CosmWasm smart contract engine that allow users to upload contracts with custom `allocate` functions.
## Vulnerability Description
The vulnerability exists due to a design flaw in how the CosmWasm virtual machine handles errors during runtime imports. CosmWasm uses several host-side functions (imports) to perform tasks like cryptography or address validation (`addr_validate`). When these functions need to return an error message to the contract's WASM address space, they use a helper method called `write_to_contract()`.
`write_to_contract()` triggers a call to the WASM contract's exported `allocate()` function to reserve memory for the error message string. Because `allocate()` is a standard export that can be overwritten by a developer, a malicious actor can implement a custom `allocate()` function that calls a host import (like `addr_validate()`) which itself is designed to fail. This creates an infinite recursion loop:
1. Host import is called and fails.
2. Host tries to write the error to the contract via `allocate()`.
3. Custom `allocate()` calls the host import again.
4. The cycle repeats until a Stack Overflow occurs, crashing the entire node process.
## Exploitation
- **Status:** PoC available (detailed in the research report).
- **Complexity:** Low.
- **Attack Vector:** Network (A malicious user uploads and executes a specially crafted smart contract).
## Impact
- **Confidentiality:** None.
- **Integrity:** None.
- **Availability:** High (Total Denial of Service for any node processing the malicious transaction; can halt the entire blockchain).
## Remediation
### Patches
- Update `wasmd` to version **v0.31.0** or later.
- Update `cosmwasm-vm` to version **v1.2.3** or later (which includes fixes to prevent re-entrancy during host-to-contract calls).
### Workarounds
- Disable the permissionless uploading of smart contracts if patching is not immediately possible.
- Implement strict gas limits, though the stack overflow may occur before gas exhaustion depending on the VM configuration.
## Detection
- **Indicators of compromise:** Presence of smart contracts with custom `allocate` functions that invoke host imports.
- **Detection methods:** Node logs showing sudden `SIGSEGV` or `Stack Overflow` crashes specifically during the execution of a new or suspicious contract transaction.
## References
- **Vendor Advisory:** hxxps://github[.]com/CosmWasm/advisories/blob/main/CVE-2023-30621.md
- **Jump Crypto Research:** hxxps://github[.]com/JumpCrypto/security-research/blob/master/advisories/2023-003-cosmwasm.md
- **GitHub Security Advisory:** hxxps://github[.]com/CosmWasm/cosmwasm/security/advisories/GHSA-79p3-v639-hhjh