CVE-2025-61595 Overview
CVE-2025-61595 affects MANTRA Chain, a purpose-built Real World Asset (RWA) Layer 1 blockchain designed to meet regulatory requirements. Versions 4.0.1 and below fail to enforce the transaction gas limit within token factory send hooks. A malicious WebAssembly (Wasm) contract can spend more gas than what remains in the transaction context. Combined with recursive contract calls, this can amplify gas consumption exponentially and disrupt chain operation. The issue is tracked under CWE-400: Uncontrolled Resource Consumption and is fixed in version 4.0.2.
Critical Impact
Network-accessible attackers can trigger exponential gas amplification through recursive Wasm contract calls in send hooks, leading to node resource exhaustion and chain availability impact.
Affected Products
- MANTRA Chain (mantrachain) versions 4.0.1 and below
- Token Factory module (x/tokenfactory) before-send hook handler
- Wasm-enabled CosmWasm contracts registered as send hooks
Discovery Timeline
- 2025-10-02 - CVE-2025-61595 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-61595
Vulnerability Analysis
The defect resides in the token factory BeforeSendHook execution path. When a transfer occurs for a denom with a registered Wasm hook, the keeper creates a child context with a fresh gas meter initialized to BeforeSendHookGasLimit. The implementation does not reconcile this fresh limit against the remaining gas in the parent transaction. A Wasm contract invoked as a send hook can therefore consume gas in excess of what the transaction itself authorizes.
When the hook contract recursively dispatches further token transfers, each nested invocation again allocates a fresh BeforeSendHookGasLimit. The cumulative gas consumed across the recursion grows multiplicatively rather than being bounded by the original transaction budget. Validators executing such a transaction expend disproportionate compute resources, threatening block production and chain liveness.
Root Cause
The root cause is missing bounds enforcement between the child gas meter and the parent transaction gas meter in x/tokenfactory/keeper/before_send.go. The original code unconditionally created types2.NewGasMeter(types.BeforeSendHookGasLimit) for the child context. No call to GasRemaining() constrained the value, allowing accumulated gas use to exceed the transaction limit.
Attack Vector
An attacker deploys a CosmWasm contract that registers as a before-send hook on a token factory denom. The contract recursively triggers additional token transfers within its hook handler. Submitting a transaction that initiates a transfer of the denom causes the chain to enter the recursive hook path, amplifying gas consumption beyond intended limits without requiring authentication.
// Patch from x/tokenfactory/keeper/before_send.go
// Source: https://github.com/MANTRA-Chain/mantrachain/commit/30d36c46e9823b56b8f0dcbb66e980ca5df284e4
}
em := sdk.NewEventManager()
- childCtx := c.WithGasMeter(types2.NewGasMeter(types.BeforeSendHookGasLimit))
+ newGasLimit := min(types.BeforeSendHookGasLimit, c.GasMeter().GasRemaining())
+ childCtx := c.WithGasMeter(types2.NewGasMeter(newGasLimit))
_, err = k.contractKeeper.Sudo(childCtx.WithEventManager(em), cwAddr, msgBz)
if err != nil {
return errorsmod.Wrapf(err, "failed to call before send hook for denom %s", coin.Denom)
The fix clamps the child gas meter to the minimum of BeforeSendHookGasLimit and the remaining gas reported by the parent context. This caps total send-hook gas at the transaction's own remaining budget and prevents recursion-based amplification.
Detection Methods for CVE-2025-61595
Indicators of Compromise
- Transactions invoking token factory transfers that consume gas approaching block limits without proportionate state changes
- Validator logs showing elevated CPU or memory utilization during block execution of transfers with registered Wasm hooks
- Repeated BeforeSendHook invocations originating from a single transaction trace
Detection Strategies
- Inspect transaction traces for nested Sudo calls into CosmWasm contracts triggered via x/tokenfactory before-send hooks
- Monitor on-chain registrations of new before-send hook contracts and review their Wasm bytecode for recursive transfer dispatch logic
- Compare per-transaction gas used against BeforeSendHookGasLimit multiplied by hook invocation depth to flag anomalies
Monitoring Recommendations
- Alert on validator nodes experiencing block production latency correlated with token factory transfer transactions
- Track sudden growth in Wasm contract execution time for hook-registered denoms
- Ingest node telemetry and Cosmos SDK event logs into a centralized analytics platform for correlation across validators
How to Mitigate CVE-2025-61595
Immediate Actions Required
- Upgrade all MANTRA Chain validator and full nodes to version 4.0.2 or later
- Audit existing token factory denoms for registered before-send hook contracts and review their code paths
- Coordinate with chain governance to enforce the upgrade across the validator set before the next scheduled chain halt
Patch Information
The fix is delivered in MANTRA Chain version 4.0.2. The patch in commit 30d36c46e9823b56b8f0dcbb66e980ca5df284e4 bounds the child gas meter by c.GasMeter().GasRemaining(). Full advisory details are published in the MANTRA Chain GitHub Security Advisory GHSA-qwvm-wqq8-8j69.
Workarounds
- Restrict creation of new token factory denoms with before-send hooks through governance until the upgrade is applied
- Blacklist or unregister suspicious Wasm hook contracts identified during audit
- Reduce per-block gas limits temporarily to constrain the impact of any abusive transaction
# Verify node version after upgrade
mantrachaind version --long | grep -E 'version|commit'
# Expected: version >= 4.0.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
