[Bug] The wasmd querier GasConsumed() is not adaptive wasmvm, maybe cause an attack。

[lyh169]

1. in wasmd
   when Execute, need generate the querier.

	// prepare querier
	querier := k.newQueryHandler(ctx, contractAddress)
	gas := k.runtimeGasForContract(ctx)
	res, gasUsed, execErr := k.wasmVM.Execute(codeInfo.CodeHash, env, info, msg, prefixStore, cosmwasmAPI, querier, k.gasMeter(ctx), gas, costJSONDeserialization)
	k.consumeRuntimeGas(ctx, gasUsed)
	if execErr != nil {
		return nil, errorsmod.Wrap(types.ErrExecuteFailed, execErr.Error())
	}

the newQueryHandler generate a object QueryHandler that implement the Querier interface as follow

type Querier interface {
	Query(request QueryRequest, gasLimit uint64) ([]byte, error)
	GasConsumed() uint64
}

the QueryHandler Gasconsumed is as follow.

func (q QueryHandler) GasConsumed() uint64 {
	return q.Ctx.GasMeter().GasConsumed()
}

2. But in wasmvm the cQueryExternal get the GasConsumed as follow,

func cQueryExternal(ptr *C.querier_t, gasLimit cu64, usedGas *cu64, request C.U8SliceView, result *C.UnmanagedVector, errOut *C.UnmanagedVector) (ret C.GoError) {
	defer recoverPanic(&ret)
        
........
	// query the data
	querier := *(*Querier)(unsafe.Pointer(ptr))
	req := copyU8Slice(request)

	gasBefore := querier.GasConsumed()
	res := types.RustQuery(querier, req, uint64(gasLimit))
	gasAfter := querier.GasConsumed()
	*usedGas = (cu64)(gasAfter - gasBefore)
........
	return C.GoError_None
}

the *usedGas will be acquired by wasmvm/libwasmvm/src/querier.rs/query_raw, as follow

       &self,
       request: &[u8],
       gas_limit: u64,
   ) -> BackendResult<SystemResult<ContractResult<Binary>>> {
       let mut output = UnmanagedVector::default();
       let mut error_msg = UnmanagedVector::default();
       let mut used_gas = 0_u64;
       let go_result: GoError = (self.vtable.query_external)(
           self.state,
           gas_limit,
           &mut used_gas as *mut u64,
           U8SliceView::new(Some(request)),
           &mut output as *mut UnmanagedVector,
           &mut error_msg as *mut UnmanagedVector,
       )
       .into();
       // We destruct the UnmanagedVector here, no matter if we need the data.
       let output = output.consume();

       let gas_info = GasInfo::with_externally_used(used_gas);
.........
}

the gas_info will return to the cosmwasm， the process in process_gas_info

pub fn process_gas_info<A: BackendApi, S: Storage, Q: Querier>(
    env: &Environment<A, S, Q>,
    info: GasInfo,
) -> VmResult<()> 

because of this gasUsed is calculate in the sdk gas mode but not WasmVMGas， so it maybe influence the exec。

3. this gasUsed calculate is not the same as the store 。

the store used GasMeter it GasConsumed() function as follow。

type MultipliedGasMeter struct {
	originalMeter sdk.GasMeter
	GasRegister   GasRegister
}

func NewMultipliedGasMeter(originalMeter sdk.GasMeter, gr GasRegister) MultipliedGasMeter {
	return MultipliedGasMeter{originalMeter: originalMeter, GasRegister: gr}
}

var _ wasmvm.GasMeter = MultipliedGasMeter{}

func (m MultipliedGasMeter) GasConsumed() sdk.Gas {
	return m.GasRegister.ToWasmVMGas(m.originalMeter.GasConsumed())
}

Is this GasConsumed() correct or not ？ @alpe Thanks

[pinosu]

Thanks for bringing this up! 🙏 I am not confident on giving an answer about this. @alpe is on holidays at the moment but he can probably help on this when he is back!

[webmaster128]

Thanks a lot – looks like a great find. We are working on it.