CVE-2025-61595: 
vulnerability analysis and mitigation

MANTRA, a purpose-built RWA Layer 1 Blockchain, was found to have a critical vulnerability in versions 4.0.1 and below where the transaction gas limit was not properly enforced in its send hooks. The vulnerability was discovered and disclosed on September 30, 2025, and was assigned CVE-2025-61595. The issue affects the tokenfactory module in the MANTRA blockchain platform (GitHub Advisory).

The vulnerability stems from a failure to enforce transaction gas limits within send hooks, which could allow these hooks to consume more gas than what remains in the transaction. When combined with recursive calls in the WASM contract, this could lead to exponential gas consumption. The vulnerability has been assigned a CVSS v4.0 score of 8.8 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N. The issue has been classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

The vulnerability could lead to excessive gas consumption in the blockchain network, potentially causing resource exhaustion and affecting the platform's availability. The high CVSS score indicates significant potential for system-wide impact, particularly in terms of availability (VA:H in the CVSS vector) (GitHub Advisory).

The vulnerability has been patched in version 4.0.2 and version 5.0.x of the MANTRA blockchain. The fix involves implementing proper gas limit enforcement by calculating the minimum between the BeforeSendHookGasLimit and the remaining gas in the transaction (GitHub Commit).