ghsa-vxmm-cwh2-q762
Vulnerability from github
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Impact
in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable
. this applies to contracts compiled with vyper<=0.3.7.
```vyper
@version 0.3.7
implicitly nonpayable
@external def foo() -> uint256: return 1
implicitly nonpayable
@external def default(): # could receive ether here pass ```
Patches
this was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.
Workarounds
don't use nonpayable default functions
{ affected: [ { package: { ecosystem: "PyPI", name: "vyper", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "0.3.8", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2023-32675", ], database_specific: { cwe_ids: [ "CWE-670", ], github_reviewed: true, github_reviewed_at: "2023-05-22T20:35:46Z", nvd_published_at: "2023-05-19T20:15:09Z", severity: "MODERATE", }, details: "### Impact\nin contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked `nonpayable`. this applies to contracts compiled with vyper<=0.3.7.\n```vyper\n# @version 0.3.7\n\n# implicitly nonpayable\n@external\ndef foo() -> uint256:\n return 1\n\n# implicitly nonpayable\n@external\ndef __default__():\n # could receive ether here\n pass\n```\n\n### Patches\nthis was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.\n\n### Workarounds\ndon't use nonpayable default functions\n\n", id: "GHSA-vxmm-cwh2-q762", modified: "2024-11-19T16:42:42Z", published: "2023-05-22T20:35:46Z", references: [ { type: "WEB", url: "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32675", }, { type: "WEB", url: "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520", }, { type: "WEB", url: "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.", }, { type: "WEB", url: "https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9", }, { type: "WEB", url: "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml", }, { type: "PACKAGE", url: "https://github.com/vyperlang/vyper", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", type: "CVSS_V3", }, { score: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", type: "CVSS_V4", }, ], summary: "Vyper's nonpayable default functions are sometimes payable", }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.