Full Report
In CosmWasm, a module for running Wasm on Cosmos blockchains, the maximum wasm payload is 800KB. Before the contract is saved to disk, it goes through some sanity checks. This check is to ensure it's not too big. The bug is effectively a zip bomb to slow the chain down. When taking the Wasm bytecode, the compilation process can leads to signatures being inlined multiple times in compiled code. By using a large signature with many references, it's possible to create a gigantic file when it's loaded to be megabytes or gigabytes in size. If it's larger than 2GB in CosmWasm, this can lead to panics. The cosmwasm-vm crate uses the Mutex type to safeguard race conditions on the inner caching of the module. If code crashes during a mutex, then the lock becomes unusable. This creates a denial of service when this object is used. Since all CosmWasm calls now crash, this leads to a denial of service on major parts of the contract. From the user's perspective, this translates to the blockchain stalling in processing any transaction, akin to a network outage. To fix the issue, additional restrictions were added to the maximum amount of functions, parameters and total function parameters. This limits the size of a payload but doesn't really fix the root cause. Interesting!
Analysis Summary
# Vulnerability: WasmVM Deterministic DoS via Module Serialization Panic
## CVE Details
- **CVE ID**: CWA-2023-004 (CosmWasm Advisory ID)
- **CVSS Score**: High (Specific numerical score not provided in article)
- **CWE**: CWE-400 (Uncontrolled Resource Consumption), CWE-674 (Uncontrolled Recursion/Complexity)
## Affected Systems
- **Products**: CosmWasm `wasmvm`, `cosmwasm-vm` crate, and App Chains using these modules.
- **Versions**:
- WasmVM < 1.5.1
- WasmVM < 1.4.2
- WasmVM < 1.3.1
- WasmVM < 1.2.5
- **Configurations**: Blockchain networks that allow **permissionless** contract uploads (anyone can instantiate/store a contract).
## Vulnerability Description
The vulnerability is a "zip bomb" style attack targeting the WebAssembly (Wasm) compilation and serialization process.
1. **The Inconsistency**: While raw Wasm payloads are capped (default 800KB), a crafted payload can exploit the way the compiler (Wasmer) handles function signatures and inlining.
2. **Expansion**: By using large signatures with many references, the resulting compiled `Module` expands exponentially. If the compiled module exceeds **2GB**, the `rkyv` serialization library inside Wasmer triggers a runtime **panic**.
3. **The Lock Poisoning**: The `cosmwasm-vm` crate uses a `Mutex` to protect the inner caching of modules. If a thread panics while holding this Mutex, the lock becomes "poisoned."
4. **Denial of Service**: Any subsequent attempt to access the Wasm VM will encounter the poisoned lock and fail. This causes a deterministic failure of all transactions on the chain, effectively stalling the blockchain.
## Exploitation
- **Status**: PoC available (referenced in technical advisory); no known exploitation in the wild at the time of report.
- **Complexity**: Medium (Requires crafting a malformed Wasm payload that bypasses initial sanity checks but expands during compilation).
- **Attack Vector**: Network (Remote submission of a contract).
## Impact
- **Confidentiality**: None
- **Integrity**: None
- **Availability**: **Critical** (Total network stall; users cannot store or execute contracts, and transactions fail to process).
## Remediation
### Patches
Update `wasmvm` to the following versions or higher:
- **1.5.1**
- **1.4.2**
- **1.3.1**
- **1.2.5**
### Workarounds
- Disable permissionless contract uploads (restrict `MsgStoreCode` to trusted addresses).
- Reduce the `MaxWasmSize` limit in `wasmd` configuration (though this may not fully prevent the expansion issue).
## Detection
- **Indicators of Compromise**: Transaction failures with error messages related to "poisoned" mutexes or "Error writing module to disk."
- **Detection methods**: Monitor validator logs for Wasm compilation panics or abrupt increases in memory usage during contract storage.
## References
- [CosmWasm Advisory CWA-2023-004] hxxps[://]github[.]com/CosmWasm/advisories/blob/main/CWAs/CWA-2023-004[.]md
- [Patch Commit] hxxps[://]github[.]com/CosmWasm/cosmwasm/commit/f69ffc7f7a66015b7d31ffad1d5e08d6c692d44f
- [CertiK Security Blog] hxxps[://]www[.]certik[.]com/blog/technical-blogs/risk-security-enhancement-for-app-chains-an-in-depth-writeup-of-cwa-2023-004