CosmWasm 1.0.0 finalized!
The secure and stable platform for the future
About 6 months ago, we announced a stable 1.0 API for CosmWasm contracts. This has led to a huge adoption of CosmWasm, and it has been battle-tested in numerous environments. However, we have maintained the -beta label until today.
In the meantime, we have gotten a detailed audit of all the Rust codebase. We have poured over the FFI interfaces line by line to look for memory leaks. We have incorporated upstream patches from Wasmer. And we have gotten feedback from chains pulling out mutexes and running CosmWasm queries multi-threaded. In short, we have put the code through an extreme stress test, both in production and by developers. And through this, we have identified and fixed 3 security issues since we tagged 1.0-beta .
And now, we are satisfied to pull off the -beta and announce a final CosmWasm 1.0.0 release. All the Rust code in our standard libraries and runtime is up to German engineering standards.
We have come a long way, and we are very proud of our accomplishments. This is just the beginning for the CosmWasm team. As always, we aim to maintain a rapid pace of development and will be working hard on new features, improvements, and optimizations to deliver an even stronger Wasm ecosystem.
All the CosmWasm stack?
We have been reviewing all the repos as well, but the rest aren’t quite up to 1.0 yet. wasmd is well tested and feature-complete, but still on 0.27, as integration with the unstable Cosmos SDK is trickier. cw-plus, our premiere tooling for contract developing, is quite secure and tested but still undergoing (minor) API changes before we can label it 1.0. Neither of these packages has received a formal audit yet, but we are working on that.
What happened in beta?
We weren’t just looking at lines of code and fixing invisible edge cases the last 6 months. There are numerous smaller improvements we made that are visible and appreciated by end-users:
- Many improvements to the math libraries — Uint128 and company have gotten extra methods like Sum, Pow, ISqrt, etc
- Support for arm64 — run your tests on your new M1 MacBook
- Support for Windows — you can compile and run integration tests on Windows machines
- Ensure bech32 input addresses are properly normalized
- Support for extended ibcv3 interfaces
- And some type renaming for clarity
But there’s more…
One of the long-standing dev frustrations with CosmWasm is how it doesn’t handle panics. If you .unwrap() somewhere, it will panic and leave a not-so-helpful message “Execute Wasm Failed: Wasmer Runtime Error: unreachable. There is no way to catch panics in wasm target.
However, with a genius insight, Simon realized we could use a panic handler hook and custom Wasm import to record this information. And suddenly, all these opaque panic messages get revealed to the user, long with the line number: Wasmer runtime error: RuntimeError: Aborted: panicked at 'Now what?', src/contract.rs:37:5."
While we still recommend you to use Result and handle errors in the most Rust-like way, you can rest assured that any overflow or unwrap or array of bounds will be properly reported. We hope this will make your dev experience much more pleasant. Just enable the abort feature, and it will work on any blockchain that has upgraded to 1.0.0 final.
Get Involved
Like what you see? Let the world know on Twitter or join the discussion on Discord. And remember to follow us on medium to be informed about the upcoming CosmWasm Academy, where you can level up your skills.
If you are core dev for a blockchain, consider updating to wasmd 0.27 as soon as possible in order to get CosmWasm 1.0 on your blockchain.
Also, please check out our next Community call on May 17th at 10 am CEST (8:00 UTC) for more early insights and a space to ask questions.
