logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-375m-5fvv-xq23 vyper

Package

Manager: pip
Name: vyper
Vulnerable Version: >=0 <0.2.9

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

VVE-2021-0002: Incorrect `returndatasize` when using simple forwarder proxies deployed prior to EIP-1167 adoption ## Background @tjayrush reported a data handling issue with certain Web3 libraries using Vyper-deploy forwarder proxy contracts using our Vyper's built-in `create_forwarder_to` function prior to our change to support EIP-1167 style forwarder proxies. ### Impact If you are an end user of a forwarder-style proxy deployed using Vyper's built-in `create_forwarder_to` function AND you have a function that returns >4096 bytes AND you do no return data sanitation on the value returned, you could potentially see a data corruption issue. Otherwise, if you are handling the result of a return call AND you expect a specific `RETURNDATASIZE` that is less than 4096 (such as `SafeERC20.safeTransfer`) then the call will fail that check. ### Patches The issue was patched when we upgraded to EIP-1167 style forwarder proxies in #2281. ### Workarounds If you are making a call to a contract method that is expected to return <= 4096 bytes, there is no issue as the ABI decoders in both Solidity and Vyper will truncate the data properly. Web3 libraries will also do this, unless you are doing `eth_call` or `eth_sendTransaction` directly. If you are using a Solidity library that checks `RETURNDATASIZE` of an external call to a forwarder proxy deployed prior to this patch, it will fail on that assertion (such as `SafeERC20.safeTransfer`). The workaround is to always do a greater than or equal to check, rather than a strict equals to check.

Metadata

Created: 2021-04-19T15:11:54Z
Modified: 2021-04-16T23:17:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-375m-5fvv-xq23/GHSA-375m-5fvv-xq23.json
CWE IDs: ["CWE-20"]
Alternative ID: N/A
Finding: F184
Auto approve: 1