Cherry-picked 🍒
The Cherry security vulnerability in CosmWasm is fixed. Confio provided patches for three different versions of wasmvm to allow a smooth non-breaking upgrade.
The bug itself is interesting to study. It allows a recursive loop between contract and host that can be initiated by a malicious contract. This leads to a stack overflow and a crash of the host process. As a result, a chain halt would be the expected consequence.
Finding and analyzing it requires a deep understanding of contract execution at a low level. A detailed description and attack instructions have been added to the advisory. Also, a technical report was published by Jump.
Credits go to Felix and the rest of the Jump Crypto team for the excellent report and professional disclosure handling, giving us all the space we needed to fix the root cause cleanly and sustainably.
Also big shout out to Greg from Informal as well as the Amulet team for the classification and coordination of the issue.
Security disclosure process
The CosmWasm stack follows an established security disclosure process which worked well this time. We are able to ship patches to users of wasmvm (the Go dependency containing the runtime) in a smooth manner.
The notification list has doubled during Cherry time, and we have seen a lot of people creating a public SECURITY.md for the first time. Great job! The reason we ask for a public documentation of the security contact instead of collecting them privately is that it covers many additional use cases other than the one Confio guy trying to reach out. Colleagues can find it easier than internal company lists, and strangers can find it too.
Greg’s work on security for the Cosmos was crucial to bring more insights to the table. He used a tool to run through the chain registry and list all well-known potentially affected chains. This was a huge help in informing teams before the patch and also in understanding which versions of CosmWasm we need to patch.
One thing we realized was that forks or re-implementations of CosmWasm suffer from not having access to the patch or information about the vulnerability before it becomes public.
Next up
A few questions are still open, and a few action items we see to be addressed in the future:
- Is there a way to better protect forks or re-implementations without leaking attack instructions?
- Is the Cosmos Hub Forum the right place to announce those things?
- How to get CosmWasm into the Cosmos bug bounty program? (ongoing conversation)
Closing thoughts
Security issues in the Cosmos stack happen, and usually, the Open Source patch implicitly contains an attack instruction. It’s a race to fix the bug before an attacker can abuse it. And we are talking about hours, not days here. The more informational advantage a chain’s dev team has over an attacker, the better. To allow developers such as Confio to contact you reliably, please:
- Create a public SECURITY.md. The most important information here is how contact the right people privately. Ideally, provide an email address as this allows for mass sends without friendship requests required.
- Get your project listed in the CosmWasm notification list via a pull request. The contacts here will receive priority over other users we have to find manually.
