Lucene search

GitHub_MCVE-2024-32646

HistoryApr 25, 2024 - 6:15 p.m.

CVE-2024-32646

2024-04-2518:15:08

CWE-20

GitHub_M

web.nvd.nist.gov

vyper

smart contract

language

ethereum

virtual machine

slice builtin

double eval vulnerability

buffer argument

msg.data

self.code

address.code

side-effects

unique symbol fence

production contracts

client tests

low impact

fixed versions

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

Confidence

Low

EPSS

Percentile

9.0%

JSON

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or <address>.code and either the start or length arguments have side-effects. It can be easily triggered only with the versions <0.3.4 as 0.3.4 introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.

Affected configurations

Vulners

Node

vyperlangvyperRange≤0.3.10

VendorProductVersionCPE
vyperlangvyper*cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vyperlang	vyper	*	cpe:2.3:a:vyperlang:vyper::::::::

CNA Affected

[
  {
    "vendor": "vyperlang",
    "product": "vyper",
    "versions": [
      {
        "version": "<= 0.3.10",
        "status": "affected"
      }
    ]
  }
]