Tomorrow, on Tuesday, April 18th at 17:00 Berlin time (15h UTC/ 8am Pacific Time) Confio will release a fix for a medium severity security issue in CosmWasm. The patch for this issue will be distributed and communicated via the regular CosmWasm release process.
This issue impacts the availability of a chain running CosmWasm, and could allow for a malicious contract to trigger a crash that can halt the chain. Though chains that use CosmWasm with permissioned uploads or instantiation are not directly at risk, we advise chains that support permissionless contract instantiation to be prepared to apply the patch and to coordinate network upgrades as quickly as their processes allow to fully remediate the issue.
The patch is not a consensus breaking security fix and can be applied in-place, and instructions will be provided to all maintainers tomorrow as part of the release process. We anticipate that the patch will be a simple, straightforward fix for chain maintainers as it is a matter of replacing one Go dependency and rebuilding the application.
The incident is tracked as CWA-2023-002, codename Cherry .