7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.0005 Low
EPSS
Percentile
18.0%
_abi_decode()
does not validate input when it is nested in an expression. the following example gets correctly validated (bounds checked):
x: int128 = _abi_decode(slice(msg.data, 4, 32), int128)
however, the following example is not bounds checked
@external
def abi_decode(x: uint256) -> uint256:
a: uint256 = convert(_abi_decode(slice(msg.data, 4, 32), (uint8)), uint256) + 1
return a # abi_decode(256) returns: 257
the issue can be triggered by constructing an example where the output of _abi_decode
is not internally passed to make_setter
(an internal codegen routine) or other input validating routine.
https://github.com/vyperlang/vyper/pull/3626
Is there a way for users to fix or remediate the vulnerability without upgrading?
Are there any links users can visit to find out more?