ghsa-vxmm-cwh2-q762
Vulnerability from github
Published
2023-05-22 20:35
Modified
2023-10-04 17:28
Severity ?
Summary
Vyper's nonpayable default functions are sometimes payable
Details
Impact
in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable. this applies to contracts compiled with vyper<=0.3.7.
```vyper
@version 0.3.7
implicitly nonpayable
@external def foo() -> uint256: return 1
implicitly nonpayable
@external def default(): # could receive ether here pass ```
Patches
this was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.
Workarounds
don't use nonpayable default functions
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vyper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32675"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-22T20:35:46Z",
"nvd_published_at": "2023-05-19T20:15:09Z",
"severity": "LOW"
},
"details": "### Impact\nin contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked `nonpayable`. this applies to contracts compiled with vyper\u003c=0.3.7.\n```vyper\n# @version 0.3.7\n\n# implicitly nonpayable\n@external\ndef foo() -\u003e uint256:\n return 1\n\n# implicitly nonpayable\n@external\ndef __default__():\n # could receive ether here\n pass\n```\n\n### Patches\nthis was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.\n\n### Workarounds\ndon\u0027t use nonpayable default functions\n\n",
"id": "GHSA-vxmm-cwh2-q762",
"modified": "2023-10-04T17:28:17Z",
"published": "2023-05-22T20:35:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32675"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vyperlang/vyper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vyper\u0027s nonpayable default functions are sometimes payable"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.