ghsa-xchq-w5r3-4wg3
Vulnerability from github
Summary
Incorrect values can be logged when raw_log builtin is called with memory or storage arguments to be used as topics.
A contract search was performed and no vulnerable contracts were found in production. In particular, no uses of raw_log() were found at all in production; it is apparently not a well-known function.
Details
The build_IR function of the RawLog class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics.
PoC
```vyper x: bytes32
@external def f(): self.x = 0x1234567890123456789012345678901234567890123456789012345678901234 raw_log([self.x], b"") # LOG1(offset:0x60, size:0x00, topic1:0x00)
y: bytes32 = 0x1234567890123456789012345678901234567890123456789012345678901234
raw_log([y], b"") # LOG1(offset:0x80, size:0x00, topic1:0x40)
```
Patches
Fixed in https://github.com/vyperlang/vyper/pull/3977.
Impact
Incorrect values can be logged which may result in unexpected behavior in client-side applications relying on these logs.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vyper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-32645"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-25T19:53:10Z",
"nvd_published_at": "2024-04-25T18:15:08Z",
"severity": "MODERATE"
},
"details": "### Summary\nIncorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics.\n\nA contract search was performed and no vulnerable contracts were found in production. In particular, no uses of `raw_log()` were found at all in production; it is apparently not a well-known function.\n\n### Details\nThe `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics.\n\n### PoC\n```vyper\nx: bytes32\n\n@external\ndef f():\n self.x = 0x1234567890123456789012345678901234567890123456789012345678901234\n raw_log([self.x], b\"\") # LOG1(offset:0x60, size:0x00, topic1:0x00)\n\n y: bytes32 = 0x1234567890123456789012345678901234567890123456789012345678901234\n raw_log([y], b\"\") # LOG1(offset:0x80, size:0x00, topic1:0x40)\n```\n### Patches\nFixed in https://github.com/vyperlang/vyper/pull/3977.\n\n### Impact\nIncorrect values can be logged which may result in unexpected behavior in client-side applications relying on these logs.\n",
"id": "GHSA-xchq-w5r3-4wg3",
"modified": "2024-06-18T15:01:23Z",
"published": "2024-04-25T19:53:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-xchq-w5r3-4wg3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32645"
},
{
"type": "PACKAGE",
"url": "https://github.com/vyperlang/vyper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "vyper performs incorrect topic logging in raw_log"
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.