5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
6.9 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
8.4%
Using the sqrt
builtin can result in multiple eval evaluation of side effects when the argument has side-effects. The bug is more difficult (but not impossible!) to trigger as of 0.3.4, when the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).
A contract search was performed and no vulnerable contracts were found in production.
It can be seen that the build_IR
function of the sqrt
builtin doesn’t cache the argument to the stack:
https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L2151
As such, it can be evaluated multiple times (instead of retrieving the value from the stack).
With at least Vyper version 0.2.15+commit.6e7dba7
the following contract:
c: uint256
@internal
def some_decimal() -> decimal:
self.c += 1
return 1.0
@external
def foo() -> uint256:
k: decimal = sqrt(self.some_decimal())
return self.c
passes the following test:
// SPDX-License-Identifier: MIT
pragma solidity >=0.8.13;
import "../../lib/ds-test/test.sol";
import "../../lib/utils/Console.sol";
import "../../lib/utils/VyperDeployer.sol";
import "../ITest.sol";
contract ConTest is DSTest {
VyperDeployer vyperDeployer = new VyperDeployer();
ITest t;
function setUp() public {
t = ITest(vyperDeployer.deployContract("Test"));
}
function testFoo() public {
uint256 val = t.foo();
console.log(val);
assert (val == 4);
}
}
No vulnerable production contracts were found.
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
6.9 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
8.4%