GHSA-m2v9-w374-5hj9

Source

https://github.com/advisories/GHSA-m2v9-w374-5hj9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-m2v9-w374-5hj9/GHSA-m2v9-w374-5hj9.json

Aliases

CVE-2024-32648

Published

2024-04-25T19:50:35Z

Modified

2024-04-25T20:13:45.347154Z

Details

Summary

Prior to v0.3.0, __default__() functions did not respect the @nonreentrancy decorator and the lock was not emitted. This is a known bug and was already visible in the issue tracker (https://github.com/vyperlang/vyper/issues/2455), but it is being re-issued as an advisory so that tools relying on the advisory publication list can incorporate it into their searches.

A contract search was additionally performed and no vulnerable contracts were found in production.

PoC

@external
@payable
@nonreentrant("default")
def __default__():
    pass

after codegen:

[seq,
  [if, [lt, calldatasize, 4], [goto, fallback]],
  [mstore, 28, [calldataload, 0]],
  [with, _func_sig, [mload, 0], seq],
  [seq_unchecked,
    [label, fallback],
    [seq,
      pass,
      # Line 5
      pass,
      pass,
      # Line 4
      stop]]],

Impact

No vulnerable production contracts were found. Additionally, using a lock on a default function is a very sparsely used pattern. As such, the impact is low.

References

Affected packages

PyPI / vyper

Package

Name: vyper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.3.0

Affected versions

0.*

0.1.0b1

0.1.0b2

0.1.0b3

0.1.0b4

0.1.0b5

0.1.0b6

0.1.0b7

0.1.0b8

0.1.0b9

0.1.0b10

0.1.0b11

0.1.0b12

0.1.0b13

0.1.0b14

0.1.0b15

0.1.0b16

0.1.0b17

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

Database specific

{
    "last_known_affected_version_range": "<= 0.2.16"
}