Merge pull request #2291 from CosmWasm/co/audit-fixes

chipshort · web-flow · commit 065c08dee893 · 2025-06-13T13:55:01.000+02:00
Security fixes on main
diff --git a/tests/integration/ibc_integration_test.go b/tests/integration/ibc_integration_test.go
@@ -397,10 +397,10 @@ func TestIBCAsyncAck(t *testing.T) {
 		path              = wasmibctesting.NewWasmPath(chainA, chainB)
 	)
 	path.EndpointA.ChannelConfig = &ibctesting.ChannelConfig{
-		PortID: sourcePortID, Version: "ibc-reflect-v1", Order: channeltypes.UNORDERED,
+		PortID: sourcePortID, Version: "ibc-reflect-v1", Order: channeltypes.ORDERED,
 	}
 	path.EndpointB.ChannelConfig = &ibctesting.ChannelConfig{
-		PortID: counterpartPortID, Version: "ibc-reflect-v1", Order: channeltypes.UNORDERED,
+		PortID: counterpartPortID, Version: "ibc-reflect-v1", Order: channeltypes.ORDERED,
 	}
 
 	coord.SetupConnections(&path.Path)
diff --git a/x/wasm/keeper/msg_dispatcher.go b/x/wasm/keeper/msg_dispatcher.go
@@ -68,14 +68,18 @@ func (d MessageDispatcher) dispatchMsgWithGasLimit(ctx sdk.Context, contractAddr
 	// catch out of gas panic and just charge the entire gas limit
 	defer func() {
 		if r := recover(); r != nil {
-			// if it's not an OutOfGas error, raise it again
-			if _, ok := r.(storetypes.ErrorOutOfGas); !ok {
+			if _, ok := r.(storetypes.ErrorOutOfGas); ok {
+				// consume the gas limit for the submessage and turn panic into error
+				ctx.GasMeter().ConsumeGas(gasLimit, "Sub-Message OutOfGas panic")
+				err = errorsmod.Wrap(sdkerrors.ErrOutOfGas, "SubMsg hit gas limit")
+			} else {
+				// if it's not an ErrorOutOfGas, consume the gas used in the sub-context and raise it again
+				spent := subCtx.GasMeter().GasConsumed()
+				ctx.GasMeter().ConsumeGas(spent, "From limited Sub-Message")
 				// log it to get the original stack trace somewhere (as panic(r) keeps message but stacktrace to here
 				moduleLogger(ctx).Info("SubMsg rethrowing panic: %#v", r)
 				panic(r)
 			}
-			ctx.GasMeter().ConsumeGas(gasLimit, "Sub-Message OutOfGas panic")
-			err = errorsmod.Wrap(sdkerrors.ErrOutOfGas, "SubMsg hit gas limit")
 		}
 	}()
 	events, data, msgResponses, err = d.messenger.DispatchMsg(subCtx, contractAddr, ibcPort, msg)
diff --git a/x/wasm/keeper/relay.go b/x/wasm/keeper/relay.go
@@ -29,24 +29,40 @@ func (k Keeper) OnOpenChannel(
 	msg wasmvmtypes.IBCChannelOpenMsg,
 ) (string, error) {
 	defer telemetry.MeasureSince(time.Now(), "wasm", "contract", "ibc-open-channel")
-	_, codeInfo, prefixStore, err := k.contractInstance(ctx, contractAddr)
+	contractInfo, codeInfo, prefixStore, err := k.contractInstance(ctx, contractAddr)
 	if err != nil {
 		return "", err
 	}
 
+	sdkCtx := sdk.UnwrapSDKContext(ctx)
+	sdkCtx, discount := k.checkDiscountEligibility(sdkCtx, codeInfo.CodeHash, k.IsPinnedCode(ctx, contractInfo.CodeID))
+	setupCost := k.gasRegister.SetupContractCost(discount, msg.ExpectedJSONSize())
+	sdkCtx.GasMeter().ConsumeGas(setupCost, "Loading CosmWasm module: ibc-open-channel")
+
 	env := types.NewEnv(ctx, k.txHash, contractAddr)
 	querier := k.newQueryHandler(ctx, contractAddr)
 
 	gasLeft := k.runtimeGasForContract(ctx)
 	res, gasUsed, execErr := k.wasmVM.IBCChannelOpen(codeInfo.CodeHash, env, msg, prefixStore, cosmwasmAPI, querier, ctx.GasMeter(), gasLeft, costJSONDeserialization)
 	k.consumeRuntimeGas(ctx, gasUsed)
+	// check if contract panicked / VM failed
 	if execErr != nil {
 		return "", errorsmod.Wrap(types.ErrExecuteFailed, execErr.Error())
 	}
-	if res != nil && res.Ok != nil {
-		return res.Ok.Version, nil
+	if res == nil {
+		// If this gets executed, that's a bug in wasmvm
+		return "", errorsmod.Wrap(types.ErrVMError, "internal wasmvm error")
+	}
+	// check contract result
+	if res.Err != "" {
+		return "", types.MarkErrorDeterministic(errorsmod.Wrap(types.ErrExecuteFailed, res.Err))
+	}
+	if res.Ok == nil {
+		// a nil "ok" value is a valid response and means the contract accepts the incoming channel version
+		// see https://docs.rs/cosmwasm-std/2.2.2/cosmwasm_std/type.IbcChannelOpenResponse.html
+		return "", nil
 	}
-	return "", nil
+	return res.Ok.Version, nil
 }
 
 // OnConnectChannel calls the contract to let it know the IBC channel was established.
@@ -67,6 +83,11 @@ func (k Keeper) OnConnectChannel(
 		return err
 	}
 
+	sdkCtx := sdk.UnwrapSDKContext(ctx)
+	sdkCtx, discount := k.checkDiscountEligibility(sdkCtx, codeInfo.CodeHash, k.IsPinnedCode(ctx, contractInfo.CodeID))
+	setupCost := k.gasRegister.SetupContractCost(discount, msg.ExpectedJSONSize())
+	sdkCtx.GasMeter().ConsumeGas(setupCost, "Loading CosmWasm module: ibc-connect-channel")
+
 	env := types.NewEnv(ctx, k.txHash, contractAddr)
 	querier := k.newQueryHandler(ctx, contractAddr)
 
@@ -105,6 +126,11 @@ func (k Keeper) OnCloseChannel(
 		return err
 	}
 
+	sdkCtx := sdk.UnwrapSDKContext(ctx)
+	sdkCtx, discount := k.checkDiscountEligibility(sdkCtx, codeInfo.CodeHash, k.IsPinnedCode(ctx, contractInfo.CodeID))
+	setupCost := k.gasRegister.SetupContractCost(discount, msg.ExpectedJSONSize())
+	sdkCtx.GasMeter().ConsumeGas(setupCost, "Loading CosmWasm module: ibc-close-channel")
+
 	params := types.NewEnv(ctx, k.txHash, contractAddr)
 	querier := k.newQueryHandler(ctx, contractAddr)
 
@@ -142,6 +168,11 @@ func (k Keeper) OnRecvPacket(
 		return nil, err
 	}
 
+	sdkCtx := sdk.UnwrapSDKContext(ctx)
+	sdkCtx, discount := k.checkDiscountEligibility(sdkCtx, codeInfo.CodeHash, k.IsPinnedCode(ctx, contractInfo.CodeID))
+	setupCost := k.gasRegister.SetupContractCost(discount, msg.ExpectedJSONSize())
+	sdkCtx.GasMeter().ConsumeGas(setupCost, "Loading CosmWasm module: ibc-recv-packet")
+
 	env := types.NewEnv(ctx, k.txHash, contractAddr)
 	querier := k.newQueryHandler(ctx, contractAddr)
 
@@ -215,6 +246,11 @@ func (k Keeper) OnAckPacket(
 		return err
 	}
 
+	sdkCtx := sdk.UnwrapSDKContext(ctx)
+	sdkCtx, discount := k.checkDiscountEligibility(sdkCtx, codeInfo.CodeHash, k.IsPinnedCode(ctx, contractInfo.CodeID))
+	setupCost := k.gasRegister.SetupContractCost(discount, msg.ExpectedJSONSize())
+	sdkCtx.GasMeter().ConsumeGas(setupCost, "Loading CosmWasm module: ibc-ack-packet")
+
 	env := types.NewEnv(ctx, k.txHash, contractAddr)
 	querier := k.newQueryHandler(ctx, contractAddr)
 
@@ -250,6 +286,11 @@ func (k Keeper) OnTimeoutPacket(
 		return err
 	}
 
+	sdkCtx := sdk.UnwrapSDKContext(ctx)
+	sdkCtx, discount := k.checkDiscountEligibility(sdkCtx, codeInfo.CodeHash, k.IsPinnedCode(ctx, contractInfo.CodeID))
+	setupCost := k.gasRegister.SetupContractCost(discount, msg.ExpectedJSONSize())
+	sdkCtx.GasMeter().ConsumeGas(setupCost, "Loading CosmWasm module: ibc-timeout-packet")
+
 	env := types.NewEnv(ctx, k.txHash, contractAddr)
 	querier := k.newQueryHandler(ctx, contractAddr)
 
@@ -284,6 +325,11 @@ func (k Keeper) IBCSourceCallback(
 		return err
 	}
 
+	sdkCtx := sdk.UnwrapSDKContext(ctx)
+	sdkCtx, discount := k.checkDiscountEligibility(sdkCtx, codeInfo.CodeHash, k.IsPinnedCode(ctx, contractInfo.CodeID))
+	setupCost := k.gasRegister.SetupContractCost(discount, msg.ExpectedJSONSize())
+	sdkCtx.GasMeter().ConsumeGas(setupCost, "Loading CosmWasm module: ibc-source-chain-callback")
+
 	env := types.NewEnv(ctx, k.txHash, contractAddr)
 	querier := k.newQueryHandler(ctx, contractAddr)
 
@@ -318,6 +364,11 @@ func (k Keeper) IBCDestinationCallback(
 		return err
 	}
 
+	sdkCtx := sdk.UnwrapSDKContext(ctx)
+	sdkCtx, discount := k.checkDiscountEligibility(sdkCtx, codeInfo.CodeHash, k.IsPinnedCode(ctx, contractInfo.CodeID))
+	setupCost := k.gasRegister.SetupContractCost(discount, msg.ExpectedJSONSize())
+	sdkCtx.GasMeter().ConsumeGas(setupCost, "Loading CosmWasm module: ibc-destination-chain-callback")
+
 	env := types.NewEnv(ctx, k.txHash, contractAddr)
 	querier := k.newQueryHandler(ctx, contractAddr)
 
diff --git a/x/wasm/keeper/relay_test.go b/x/wasm/keeper/relay_test.go
@@ -83,8 +83,8 @@ func TestOnOpenChannel(t *testing.T) {
 			}
 			require.NoError(t, err)
 			// verify gas consumed
-			const storageCosts = storetypes.Gas(3101)
-			assert.Equal(t, spec.expGas, ctx.GasMeter().GasConsumed()-before-storageCosts)
+			const storageCosts = storetypes.Gas(4101)
+			assert.Equal(t, spec.expGas, ctx.GasMeter().GasConsumed()-before-storageCosts-types.DefaultInstanceCost)
 		})
 	}
 }
@@ -189,8 +189,8 @@ func TestOnConnectChannel(t *testing.T) {
 			}
 			require.NoError(t, err)
 			// verify gas consumed
-			const storageCosts = storetypes.Gas(3101)
-			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts)
+			const storageCosts = storetypes.Gas(4101)
+			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts-types.DefaultInstanceCost)
 			// verify msgs dispatched
 			require.Len(t, *capturedMsgs, len(spec.contractResp.Messages))
 			for i, m := range spec.contractResp.Messages {
@@ -299,8 +299,8 @@ func TestOnCloseChannel(t *testing.T) {
 			}
 			require.NoError(t, err)
 			// verify gas consumed
-			const storageCosts = storetypes.Gas(3101)
-			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts)
+			const storageCosts = storetypes.Gas(4101)
+			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts-types.DefaultInstanceCost)
 			// verify msgs dispatched
 			require.Len(t, *capturedMsgs, len(spec.contractResp.Messages))
 			for i, m := range spec.contractResp.Messages {
@@ -495,8 +495,8 @@ func TestOnRecvPacket(t *testing.T) {
 			}
 
 			// verify gas consumed
-			const storageCosts = storetypes.Gas(3101)
-			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts)
+			const storageCosts = storetypes.Gas(4101)
+			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts-types.DefaultInstanceCost)
 
 			// verify msgs dispatched on success/ err response
 			if spec.contractResp.Err != "" {
@@ -606,8 +606,8 @@ func TestOnAckPacket(t *testing.T) {
 			}
 			require.NoError(t, err)
 			// verify gas consumed
-			const storageCosts = storetypes.Gas(3101)
-			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts)
+			const storageCosts = storetypes.Gas(4101)
+			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts-types.DefaultInstanceCost)
 			// verify msgs dispatched
 			require.Len(t, *capturedMsgs, len(spec.contractResp.Messages))
 			for i, m := range spec.contractResp.Messages {
@@ -726,8 +726,8 @@ func TestOnTimeoutPacket(t *testing.T) {
 			}
 			require.NoError(t, err)
 			// verify gas consumed
-			const storageCosts = storetypes.Gas(3101)
-			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts)
+			const storageCosts = storetypes.Gas(4101)
+			assert.Equal(t, spec.expContractGas, ctx.GasMeter().GasConsumed()-before-storageCosts-types.DefaultInstanceCost)
 			// verify msgs dispatched
 			require.Len(t, *capturedMsgs, len(spec.contractResp.Messages))
 			for i, m := range spec.contractResp.Messages {

Original file line number	Diff line number	Diff line change
`@@ -397,10 +397,10 @@ func TestIBCAsyncAck(t *testing.T) {`
`397`	`397`	`path = wasmibctesting.NewWasmPath(chainA, chainB)`
`398`	`398`	`)`
`399`	`399`	`path.EndpointA.ChannelConfig = &ibctesting.ChannelConfig{`
`400`		`- PortID: sourcePortID, Version: "ibc-reflect-v1", Order: channeltypes.UNORDERED,`
	`400`	`+ PortID: sourcePortID, Version: "ibc-reflect-v1", Order: channeltypes.ORDERED,`
`401`	`401`	`}`
`402`	`402`	`path.EndpointB.ChannelConfig = &ibctesting.ChannelConfig{`
`403`		`- PortID: counterpartPortID, Version: "ibc-reflect-v1", Order: channeltypes.UNORDERED,`
	`403`	`+ PortID: counterpartPortID, Version: "ibc-reflect-v1", Order: channeltypes.ORDERED,`
`404`	`404`	`}`
`405`	`405`
`406`	`406`	`coord.SetupConnections(&path.Path)`