Skip to content

CosmWasm affected by arithmetic overflows

Low severity GitHub Reviewed Published Apr 24, 2024 to the GitHub Advisory Database • Updated Apr 24, 2024

Package

cargo cosmwasm-std (Rust)

Affected versions

>= 1.3.0, < 1.4.4
>= 1.5.0, < 1.5.4
>= 2.0.0, < 2.0.2

Patched versions

1.4.4
1.5.4
2.0.2

Description

Some mathematical operations in cosmwasm-std use wrapping math instead of
panicking on overflow for very big numbers. This can lead to wrong calculations in contracts
that use these operations.

Affected functions:

  • Uint{256,512}::pow / Int{256,512}::pow
  • Int{256,512}::neg

Affected if overflow-checks = true is not set:

  • Uint{64,128}::pow / Int{64,128}::pow
  • Int{64,128}::neg

References

Published to the GitHub Advisory Database Apr 24, 2024
Reviewed Apr 24, 2024
Last updated Apr 24, 2024

Severity

Low
3.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-8724-5xmm-w5xq

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.