logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-32646 vyper

Package

Manager: pip
Name: vyper
Vulnerable Version: >=0 <0.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00769 pctl0.72603

Details

vyper performs double eval of the slice start/length args in certain cases ### Summary Using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. A contract search was performed and no vulnerable contracts were found in production. Having side-effects in the start and length patterns is also an unusual pattern which is not that likely to show up in user code. It is also much harder (but not impossible!) to trigger the bug since `0.3.4` since the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914). ### Details It can be seen that the `_build_adhoc_slice_node` function of the `slice` builtin doesn't cache the mentioned arguments to the stack: https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L244 As such, they can be evaluated multiple times (instead of retrieving the value from the stack). ### PoC with Vyper version `0.3.3+commit.48e326f` the call to `foo` passes the `asserts`: ```vyper l: DynArray[uint256, 10] @external def foo(cs: String[64]) -> uint256: for i in range(10): self.l.append(1) assert len(self.l) == 10 s: Bytes[64] = b"" s = slice(msg.data, self.l.pop(), 3) assert len(self.l) == 10 - 2 return len(self.l) ``` ### Patches Patched in https://github.com/vyperlang/vyper/pull/3976. ### Impact No vulnerable production contracts were found.

Metadata

Created: 2024-04-25T19:51:41Z
Modified: 2025-01-21T17:53:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-r56x-j438-vw5m/GHSA-r56x-j438-vw5m.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-r56x-j438-vw5m
Finding: F184
Auto approve: 1