cvelistv5 - cve-2024-24567

URL	Tags
security-advisories@github.com	https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100	Exploit
security-advisories@github.com	https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100	Exploit
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m	Exploit, Vendor Advisory

ghsa-x2c2-q32w-4w6m

Vulnerability from github

Published

2024-01-30 18:42

Modified

2024-11-22 20:46

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Summary

Vyper's raw_call `value=` kwargs not disabled for static and delegate calls

Details

Summary

Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument.

A contract search was performed and no vulnerable contracts were found in production.

Details

The IR for raw_call is built in the RawCall class: https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100

However, the compiler doesn't validate that if either delegatecall or staticall are provided as kwargs, that value wasn't set. For example, the following compiles without errors: python raw_call(self, call_data2, max_outsize=255, is_delegate_call=True, value=msg.value/2)

Impact

If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the value kwarg, exactly the given amount will be sent along to the target. However in fact, no value will be sent.

Here is an example of an potentially problematic implementation of multicall utilizing the raw_call built-in: python value_accumulator: uint256 = empty(uint256) results: DynArray[Result, max_value(uint8)] = [] return_data: Bytes[max_value(uint8)] = b"" success: bool = empty(bool) for batch in data: msg_value: uint256 = batch.value value_accumulator = unsafe_add(value_accumulator, msg_value) if (batch.allow_failure == False): return_data = raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True) success = True results.append(Result({success: success, return_data: return_data})) else: success, return_data = \ raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True, revert_on_failure=False) results.append(Result({success: success, return_data: return_data})) assert msg.value == value_accumulator, "Multicall: value mismatch" return results

Patches

Fixed in https://github.com/vyperlang/vyper/pull/3755

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T18:42:28Z",
    "nvd_published_at": "2024-01-30T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nVyper compiler allows passing a value in builtin `raw_call` even if the call is a `delegatecall` or a `staticcall`. But in the context of `delegatecall` and `staticcall` the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the `value=` argument.\n\nA contract search was performed and no vulnerable contracts were found in production.\n\n### Details\nThe IR for `raw_call` is built in the `RawCall` class:\nhttps://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100\n\nHowever, the compiler doesn\u0027t validate that if either `delegatecall` or `staticall` are provided as kwargs, that `value` wasn\u0027t set. For example, the following compiles without errors:\n```python\nraw_call(self, call_data2, max_outsize=255, is_delegate_call=True, value=msg.value/2)\n```\n\n### Impact\nIf the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. However in fact, no `value` will be sent.\n\nHere is an example of an potentially problematic implementation of multicall utilizing the `raw_call` built-in:\n```python\nvalue_accumulator: uint256 = empty(uint256)\n    results: DynArray[Result, max_value(uint8)] = []\n    return_data: Bytes[max_value(uint8)] = b\"\"\n    success: bool = empty(bool)\n    for batch in data:\n        msg_value: uint256 = batch.value\n        value_accumulator = unsafe_add(value_accumulator, msg_value)\n        if (batch.allow_failure == False):\n            return_data = raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True)\n            success = True\n            results.append(Result({success: success, return_data: return_data}))\n        else:\n            success, return_data = \\\n                raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True, revert_on_failure=False)\n            results.append(Result({success: success, return_data: return_data}))\n    assert msg.value == value_accumulator, \"Multicall: value mismatch\"\n    return results\n```\n\n### Patches\nFixed in https://github.com/vyperlang/vyper/pull/3755\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n",
  "id": "GHSA-x2c2-q32w-4w6m",
  "modified": "2024-11-22T20:46:32Z",
  "published": "2024-01-30T18:42:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24567"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/pull/3755"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/a2df08888c318713742c57f71465f32a1c27ed72"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-151.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vyper\u0027s raw_call `value=` kwargs not disabled for static and delegate calls"
}

pysec-2024-151

Vulnerability from pysec

Published

2024-01-30 21:15

Modified

2024-11-21 14:23

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the value kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper",
        "purl": "pkg:pypi/vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0b1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0b1",
        "0.1.0b10",
        "0.1.0b11",
        "0.1.0b12",
        "0.1.0b13",
        "0.1.0b14",
        "0.1.0b15",
        "0.1.0b16",
        "0.1.0b17",
        "0.1.0b2",
        "0.1.0b3",
        "0.1.0b4",
        "0.1.0b5",
        "0.1.0b6",
        "0.1.0b7",
        "0.1.0b8",
        "0.1.0b9",
        "0.2.1",
        "0.2.10",
        "0.2.11",
        "0.2.12",
        "0.2.13",
        "0.2.14",
        "0.2.15",
        "0.2.16",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.8",
        "0.2.9",
        "0.3.0",
        "0.3.1",
        "0.3.10",
        "0.3.10rc1",
        "0.3.10rc2",
        "0.3.10rc3",
        "0.3.10rc4",
        "0.3.10rc5",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7",
        "0.3.8",
        "0.3.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24567",
    "GHSA-x2c2-q32w-4w6m"
  ],
  "details": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.",
  "id": "PYSEC-2024-151",
  "modified": "2024-11-21T14:23:03.091183+00:00",
  "published": "2024-01-30T21:15:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2024-24567

Vulnerability from gsd

Modified

2024-01-26 06:02

Details

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.

Aliases

CVE-2024-24567

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-24567"
      ],
      "details": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.",
      "id": "GSD-2024-24567",
      "modified": "2024-01-26T06:02:25.967512Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-24567",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vyper",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c= 0.3.10"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vyperlang"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-754",
                "lang": "eng",
                "value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m"
          },
          {
            "name": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-x2c2-q32w-4w6m",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*",
                    "matchCriteriaId": "832C489D-4288-46B4-A29E-0E7168748042",
                    "versionEndIncluding": "0.3.10",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions."
          },
          {
            "lang": "es",
            "value": "Vyper es un Smart Contract Language pythonico para la m\u00e1quina virtual ethereum. El compilador de Vyper permite pasar un valor en raw_call incorporado incluso si la llamada es una llamada delegada o una llamada est\u00e1tica. Pero en el contexto de delegarcall y staticcall el manejo del valor no es posible debido a la sem\u00e1ntica de los respectivos c\u00f3digos de operaci\u00f3n, y vyper ignorar\u00e1 silenciosamente el argumento value=. Si el desarrollador desconoce la sem\u00e1ntica del EVM, podr\u00eda sospechar que al especificar el \"valor\" kwarg, se enviar\u00e1 exactamente la cantidad dada al objetivo. Esta vulnerabilidad afecta a la versi\u00f3n 0.3.10 y versiones anteriores."
          }
        ],
        "id": "CVE-2024-24567",
        "lastModified": "2024-02-06T19:41:58.417",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 2.5,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-01-30T21:15:08.607",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit"
            ],
            "url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Vendor Advisory"
            ],
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-754"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

cve-2024-24567

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2024-24567

Vulnerability from cvelistv5

ghsa-x2c2-q32w-4w6m

Vulnerability from github

Summary

Details

Impact

Patches

Workarounds

References

pysec-2024-151

Vulnerability from pysec

gsd-2024-24567

Vulnerability from gsd

Tags

Sightings

Nomenclature