Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🛡️ Arithmetic Overflow in CosmWasm-Std Affects OKP4 Contracts #553

Closed
ccamel opened this issue May 23, 2024 · 2 comments · Fixed by #533
Closed

🛡️ Arithmetic Overflow in CosmWasm-Std Affects OKP4 Contracts #553

ccamel opened this issue May 23, 2024 · 2 comments · Fixed by #533
Assignees
@bdeneux
Labels
security audit Categorizes an issue or PR as relevant to Security Audit

Comments

@ccamel
Copy link
Member

ccamel commented May 23, 2024

Note

Severity: Medium
target: v5.0.0 - Commit: cde785fbd2dad71608d53f8524e0ef8c8f8178af
Ref: OKP4 CosmWasm Audit Report v1.0 - 02-05-2024 - BlockApex

Description

The OKP4 ecosystem is currently using version 1.5.3 of the cosmwasm-std library, which has been found to contain arithmetic overflow issues as detailed in advisory CWA-2024-002. This vulnerability affects all contracts that perform arithmetic operations, including Objectarium, Cognitarium, Dataverse, and Law Stone. Arithmetic overflows can alter the expected behavior of smart contracts by causing computations to wrap incorrectly.

Impact

This overflow can lead to incorrect data processing, resulting in potential state corruption or mismanagement of contract logic. It directly threatens the reliability and effectiveness of the contract's intended functionalities.

Recommendation

Upgrade the cosmwasm-std library to the latest patched version as recommended in the advisory.
@ccamel ccamel added the security audit Categorizes an issue or PR as relevant to Security Audit label May 23, 2024
@bdeneux
Copy link
Contributor

bdeneux commented May 31, 2024
edited
Loading

Fixed by @dependabot PR : #533

@bdeneux bdeneux linked a pull request May 31, 2024 that will close this issue
build(deps): bump cosmwasm-std from 1.5.3 to 1.5.5 #533
Merged
@amimart
Copy link
Member

amimart commented Jun 4, 2024

Fixed by @dependabot PR : #533

Yep closing it :)

@amimart amimart closed this as completed Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bdeneux bdeneux

Labels
security audit Categorizes an issue or PR as relevant to Security Audit
Projects
💻 Development
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build(deps): bump cosmwasm-std from 1.5.3 to 1.5.5 axone-protocol/contracts
3 participants
@ccamel @amimart @bdeneux