|
2 | 2 |
|
3 | 3 | ## 2025 |
4 | 4 |
|
5 | | -| Severity[^1] | Scope[^2] | ID | Aliases | |
6 | | -| ------------ | --------- | --------------------------------------------------------------------------------------------------- | --------------------- | |
7 | | -| High | x/wasm | [CWA-2025-006: Improper error handling may lead to IBC channel opening despite error][CWA-2025-006] | | |
8 | | -| Medium | x/wasm | [CWA-2025-005: Missing contract setup cost for IBC entrypoints][CWA-2025-005] | | |
9 | | -| Low | x/wasm | [CWA-2025-004: Sub-context gas not consumed on non-OutOfGas panics][CWA-2025-004] | | |
10 | | -| Low | VM | [CWA-2025-003: Smart contract can cause consensus failures for some nodes][CWA-2025-003] | | |
11 | | -| Medium | VM | [CWA-2025-002: Malicious smart contract can slow down block production][CWA-2025-002] | [GHSA-mx2j-7cmv-353c] | |
12 | | -| Medium | VM | [CWA-2025-001: Malicious smart contract can crash the chain][CWA-2025-001] | [GHSA-23qp-3c2m-xx6w] | |
| 5 | +| [Severity] | [Scope] | ID | Aliases | |
| 6 | +|------------|---------|-----------------------------------------------------------------------------------------------------|-----------------------| |
| 7 | +| High | x/wasm | [CWA-2025-006: Improper error handling may lead to IBC channel opening despite error][CWA-2025-006] | | |
| 8 | +| Medium | x/wasm | [CWA-2025-005: Missing contract setup cost for IBC entrypoints][CWA-2025-005] | | |
| 9 | +| Low | x/wasm | [CWA-2025-004: Sub-context gas not consumed on non-OutOfGas panics][CWA-2025-004] | | |
| 10 | +| Low | VM | [CWA-2025-003: Smart contract can cause consensus failures for some nodes][CWA-2025-003] | | |
| 11 | +| Medium | VM | [CWA-2025-002: Malicious smart contract can slow down block production][CWA-2025-002] | [GHSA-mx2j-7cmv-353c] | |
| 12 | +| Medium | VM | [CWA-2025-001: Malicious smart contract can crash the chain][CWA-2025-001] | [GHSA-23qp-3c2m-xx6w] | |
13 | 13 |
|
14 | 14 | [CWA-2025-006]: ./CWA-2025-006.md |
15 | 15 | [CWA-2025-005]: ./CWA-2025-005.md |
|
22 | 22 |
|
23 | 23 | ## 2024 |
24 | 24 |
|
25 | | -| Severity[^1] | Scope[^2] | ID | Aliases | |
26 | | -| ------------ | --------- | ---------------------------------------------------------------------------- | ------------------------------------------ | |
27 | | -| Low | VM | [CWA-2024-009][CWA-2024-009] | [GHSA-vmg2-r3xv-r3xf] | |
28 | | -| Medium | VM | [CWA-2024-008: Panic in wasmvm can slow down block production][CWA-2024-008] | [GHSA-vmqh-5232-v43r] | |
29 | | -| Medium | VM | [CWA-2024-007: Incorrect metering][CWA-2024-007] | [GHSA-2q97-m5rc-p3gp] | |
30 | | -| Medium | x/wasm | [CWA-2024-006: Non-deterministic module_query_safe query][CWA-2024-006] | [GHSA-fpgj-cr28-fvpx] | |
31 | | -| High | x/wasm | [CWA-2024-005: Stackoverflow in wasmd][CWA-2024-005] | [GHSA-g8w7-7vgg-x7xg] | |
32 | | -| Medium | VM | [CWA-2024-004: Gas mispricing in cosmwasm-vm][CWA-2024-004] | [RUSTSEC-2024-0361], [GHSA-rg2q-2jh9-447q] | |
33 | | -| Low | x/wasm | [CWA-2024-003: Large address count in ValidateBasic][CWA-2024-003] | [GHSA-m3rh-cvr5-x6q4] | |
34 | | -| Medium | Contracts | [CWA-2024-002: Arithmetic overflows in cosmwasm-std][CWA-2024-002] | [RUSTSEC-2024-0338], [GHSA-8724-5xmm-w5xq] | |
35 | | -| Low | Contracts | [CWA-2024-001: Stack overflow in serde-json-wasm][CWA-2024-001] | [RUSTSEC-2024-0012], [GHSA-rr69-rxr6-8qwf] | |
| 25 | +| [Severity] | [Scope] | ID | Aliases | |
| 26 | +|------------|-----------|------------------------------------------------------------------------------|--------------------------------------------| |
| 27 | +| Low | VM | [CWA-2024-009][CWA-2024-009] | [GHSA-vmg2-r3xv-r3xf] | |
| 28 | +| Medium | VM | [CWA-2024-008: Panic in wasmvm can slow down block production][CWA-2024-008] | [GHSA-vmqh-5232-v43r] | |
| 29 | +| Medium | VM | [CWA-2024-007: Incorrect metering][CWA-2024-007] | [GHSA-2q97-m5rc-p3gp] | |
| 30 | +| Medium | x/wasm | [CWA-2024-006: Non-deterministic module_query_safe query][CWA-2024-006] | [GHSA-fpgj-cr28-fvpx] | |
| 31 | +| High | x/wasm | [CWA-2024-005: Stackoverflow in wasmd][CWA-2024-005] | [GHSA-g8w7-7vgg-x7xg] | |
| 32 | +| Medium | VM | [CWA-2024-004: Gas mispricing in cosmwasm-vm][CWA-2024-004] | [RUSTSEC-2024-0361], [GHSA-rg2q-2jh9-447q] | |
| 33 | +| Low | x/wasm | [CWA-2024-003: Large address count in ValidateBasic][CWA-2024-003] | [GHSA-m3rh-cvr5-x6q4] | |
| 34 | +| Medium | Contracts | [CWA-2024-002: Arithmetic overflows in cosmwasm-std][CWA-2024-002] | [RUSTSEC-2024-0338], [GHSA-8724-5xmm-w5xq] | |
| 35 | +| Low | Contracts | [CWA-2024-001: Stack overflow in serde-json-wasm][CWA-2024-001] | [RUSTSEC-2024-0012], [GHSA-rr69-rxr6-8qwf] | |
36 | 36 |
|
37 | 37 | [CWA-2024-009]: ./CWA-2024-009.md |
38 | 38 | [CWA-2024-008]: ./CWA-2024-008.md |
|
58 | 58 |
|
59 | 59 | ## 2023 |
60 | 60 |
|
61 | | -| Severity[^1] | Scope[^2] | ID | |
62 | | -| ------------ | --------- | ------------------------------------------------------------------------------------- | |
63 | | -| High | VM | [CWA-2023-004: Excessive number of function paramters in compiled Wasm][CWA-2023-004] | |
64 | | -| Medium | x/wasm | [CWA-2023-003: Inefficient ListChannels query implementation][CWA-2023-003] | |
65 | | -| | VM | [CWA-2023-002: Stack overflow crash (Codename Cherry)][CWA-2023-002] | |
66 | | -| | VM | [CWA-2023-001: Potential overflow in cache statistics][CWA-2023-001] | |
| 61 | +| [Severity] | [Scope] | ID | |
| 62 | +|------------|---------|---------------------------------------------------------------------------------------| |
| 63 | +| High | VM | [CWA-2023-004: Excessive number of function paramters in compiled Wasm][CWA-2023-004] | |
| 64 | +| Medium | x/wasm | [CWA-2023-003: Inefficient ListChannels query implementation][CWA-2023-003] | |
| 65 | +| | VM | [CWA-2023-002: Stack overflow crash (Codename Cherry)][CWA-2023-002] | |
| 66 | +| | VM | [CWA-2023-001: Potential overflow in cache statistics][CWA-2023-001] | |
67 | 67 |
|
68 | 68 | [CWA-2023-004]: ./CWA-2023-004.md |
69 | 69 | [CWA-2023-003]: ./CWA-2023-003.md |
|
72 | 72 |
|
73 | 73 | ## 2022 |
74 | 74 |
|
75 | | -| Severity[^1] | Scope[^2] | ID | |
76 | | -| ------------ | --------- | -------------------------------------------------------------------------------------- | |
77 | | -| | x/wasm | [CWA-2022-005: Denial of service through predictable contract addresses][CWA-2022-005] | |
78 | | -| | x/wasm | [CWA-2022-004: Unlimited query stack][CWA-2022-004] | |
79 | | -| | x/wasm | [CWA-2022-003: Nondeterministic Stargate queries][CWA-2022-003] | |
80 | | -| | VM | [CWA-2022-002: Non-normalized bech32 casing in Addr type][CWA-2022-002] | |
81 | | -| | x/wasm | [CWA-2022-001: Non-deterministic queries][CWA-2022-001] | |
| 75 | +| [Severity] | [Scope] | ID | |
| 76 | +|------------|---------|----------------------------------------------------------------------------------------| |
| 77 | +| | x/wasm | [CWA-2022-005: Denial of service through predictable contract addresses][CWA-2022-005] | |
| 78 | +| | x/wasm | [CWA-2022-004: Unlimited query stack][CWA-2022-004] | |
| 79 | +| | x/wasm | [CWA-2022-003: Nondeterministic Stargate queries][CWA-2022-003] | |
| 80 | +| | VM | [CWA-2022-002: Non-normalized bech32 casing in Addr type][CWA-2022-002] | |
| 81 | +| | x/wasm | [CWA-2022-001: Non-deterministic queries][CWA-2022-001] | |
82 | 82 |
|
83 | 83 | [CWA-2022-005]: ./CWA-2022-005.md |
84 | 84 | [CWA-2022-004]: ./CWA-2022-004.md |
|
88 | 88 |
|
89 | 89 | ## 2021 |
90 | 90 |
|
91 | | -| Severity[^1] | Scope[^2] | ID | |
92 | | -| ------------ | --------- | ------------------------------------------------------------------------------------------- | |
93 | | -| | VM | [CWA-2021-003: Nondeterministic stacktrace in VmError][CWA-2021-003] | |
94 | | -| | | CWA-2021-002: reserved | |
95 | | -| | VM | [CWA-2021-001: Logic error in none handling in copyAndDestroyUnmanagedVector][CWA-2021-001] | |
| 91 | +| [Severity] | [Scope] | ID | |
| 92 | +|------------|---------|---------------------------------------------------------------------------------------------| |
| 93 | +| | VM | [CWA-2021-003: Nondeterministic stacktrace in VmError][CWA-2021-003] | |
| 94 | +| | | CWA-2021-002: reserved | |
| 95 | +| | VM | [CWA-2021-001: Logic error in none handling in copyAndDestroyUnmanagedVector][CWA-2021-001] | |
96 | 96 |
|
97 | 97 | [CWA-2021-003]: ./CWA-2021-003.md |
98 | 98 | [CWA-2021-002]: ./CWA-2021-002.md |
99 | 99 | [CWA-2021-001]: ./CWA-2021-001.md |
100 | 100 |
|
101 | | -[^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md |
102 | 101 |
|
103 | | -[^2]: Contracts: everything compiled into Wasm (comswasm-std, other contract libraries); VM: everything executing contracts (cosmwasm-vm, wasmvm); x/wasm: integration of the VM into the chain (wasmd) |
| 102 | +[Severity]: #Severity |
| 103 | +[Scope]: #Scope |
| 104 | + |
| 105 | + |
| 106 | +### Severity |
| 107 | + |
| 108 | +Following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md |
| 109 | + |
| 110 | +### Scope |
| 111 | + |
| 112 | +- **Contracts** - everything compiled into Wasm (cosmwasm-std, other contract libraries), |
| 113 | +- **VM** - everything executing contracts (cosmwasm-vm, wasmvm), |
| 114 | +- **x/wasm** - integration of the VM into the chain (wasmd). |
0 commit comments