Headline
GHSA-qwvm-wqq8-8j69: github.com/MANTRA-Chain/mantrachain/x/tokenfactory tx gas limit is not enforced in send hooks
Impact
send hooks can spend more gas than what’s remained in tx, combined with recursive calls in the wasm contract, can amplify the gas consumption exponentially.
Patches
It’s patched in v4.0.2 and v5.0.0
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-61595
github.com/MANTRA-Chain/mantrachain/x/tokenfactory tx gas limit is not enforced in send hooks
High severity GitHub Reviewed Published Sep 30, 2025 in MANTRA-Chain/mantrachain • Updated Sep 30, 2025
Package
gomod github.com/MANTRA-Chain/mantrachain (Go)
Affected versions
< 4.0.2
gomod github.com/MANTRA-Chain/mantrachain/v2 (Go)
gomod github.com/MANTRA-Chain/mantrachain/v3 (Go)
gomod github.com/MANTRA-Chain/mantrachain/v4 (Go)
Impact
send hooks can spend more gas than what’s remained in tx, combined with recursive calls in the wasm contract, can amplify the gas consumption exponentially.
Patches
It’s patched in v4.0.2 and v5.0.0
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
- GHSA-qwvm-wqq8-8j69
- MANTRA-Chain/mantrachain#432
Published to the GitHub Advisory Database
Sep 30, 2025
Last updated
Sep 30, 2025