GHSA-5jrj-52x8-m64h

Source

https://github.com/advisories/GHSA-5jrj-52x8-m64h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5jrj-52x8-m64h/GHSA-5jrj-52x8-m64h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5jrj-52x8-m64h

Aliases

Related

Published

2024-04-25T19:50:16Z

Modified

2025-01-21T18:22:46.455771Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

vyper performs multiple eval of `sqrt()` argument built in

Details

Summary

Using the sqrt builtin can result in multiple eval evaluation of side effects when the argument has side-effects. The bug is more difficult (but not impossible!) to trigger as of 0.3.4, when the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).

A contract search was performed and no vulnerable contracts were found in production.

Details

It can be seen that the build_IR function of the sqrt builtin doesn't cache the argument to the stack: https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L2151

As such, it can be evaluated multiple times (instead of retrieving the value from the stack).

PoC

With at least Vyper version 0.2.15+commit.6e7dba7 the following contract:

c: uint256

@internal
def some_decimal() -> decimal:
    self.c += 1
    return 1.0

@external
def foo() -> uint256:
    k: decimal = sqrt(self.some_decimal())
    return self.c

passes the following test:

// SPDX-License-Identifier: MIT
pragma solidity >=0.8.13;

import "../../lib/ds-test/test.sol";
import "../../lib/utils/Console.sol";
import "../../lib/utils/VyperDeployer.sol";

import "../ITest.sol";

contract ConTest is DSTest {
    VyperDeployer vyperDeployer = new VyperDeployer();

    ITest t;

    function setUp() public {
        t = ITest(vyperDeployer.deployContract("Test"));
    }

    function testFoo() public {
        uint256 val = t.foo();
        console.log(val);
        assert (val == 4);
    }
}

Patches

Patched in https://github.com/vyperlang/vyper/pull/3976.

Impact

No vulnerable production contracts were found.

Database specific

{
    "nvd_published_at": "2024-04-25T18:15:09Z",
    "cwe_ids": [
        "CWE-95"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T19:50:16Z"
}

References

Affected packages

PyPI / vyper

Package

Name: vyper; View open source insights on deps.dev
Purl: pkg:pypi/vyper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.0

Affected versions

0.*

0.1.0b1

0.1.0b2

0.1.0b3

0.1.0b4

0.1.0b5

0.1.0b6

0.1.0b7

0.1.0b8

0.1.0b9

0.1.0b10

0.1.0b11

0.1.0b12

0.1.0b13

0.1.0b14

0.1.0b15

0.1.0b16

0.1.0b17

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10rc1

0.3.10rc2

0.3.10rc3

0.3.10rc4

0.3.10rc5

0.3.10

0.4.0b1

0.4.0b2

0.4.0b3

0.4.0b4

0.4.0b5

0.4.0b6

0.4.0rc1

0.4.0rc2

0.4.0rc3

0.4.0rc4

0.4.0rc5

0.4.0rc6