High severityOSV Advisory· Published Oct 2, 2025· Updated Apr 15, 2026

CVE-2025-61595

Description

MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do not enforce the tx gas limit in its send hooks. Send hooks can spend more gas than what remains in tx, combined with recursive calls in the wasm contract, potentially amplifying the gas consumption exponentially. This is fixed in version 4.0.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/MANTRA-Chain/mantrachain/v4Go	< 4.0.2	4.0.2
github.com/MANTRA-Chain/mantrachain/v3Go	>= 0	—
github.com/MANTRA-Chain/mantrachain/v2Go	>= 0	—
github.com/MANTRA-Chain/mantrachainGo	>= 0	—

Affected products

Mantra Chain/MantrachainOSV
Range: v1.0.0-alpha.10, v1.0.0-alpha.4, v1.0.0-alpha.5, …

Patches

30d36c46e982

fix: None (#437)

https://github.com/MANTRA-Chain/mantrachainLance Lan MengSep 5, 2025via ghsa

commit

1 file changed · +2 −1

x/tokenfactory/keeper/before_send.go+2 −1 modified

@@ -127,7 +127,8 @@ func (k Keeper) callBeforeSendListener(ctx context.Context, from, to sdk.AccAddr
 			}
 			em := sdk.NewEventManager()
 
-			childCtx := c.WithGasMeter(types2.NewGasMeter(types.BeforeSendHookGasLimit))
+			newGasLimit := min(types.BeforeSendHookGasLimit, c.GasMeter().GasRemaining())
+			childCtx := c.WithGasMeter(types2.NewGasMeter(newGasLimit))
 			_, err = k.contractKeeper.Sudo(childCtx.WithEventManager(em), cwAddr, msgBz)
 			if err != nil {
 				return errorsmod.Wrapf(err, "failed to call before send hook for denom %s", coin.Denom)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000