GoogleOSV:GHSA-VXMM-CWH2-Q762Vyper's nonpayable default functions are sometimes payable
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
29.0%
Impact
in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable. this applies to contracts compiled with vyper<=0.3.7.
# @version 0.3.7
# implicitly nonpayable
@external
def foo() -> uint256:
return 1
# implicitly nonpayable
@external
def __default__():
# could receive ether here
pass
Patches
this was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.
Workarounds
don’t use nonpayable default functions
References
github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml
github.com/vyperlang/vyper
github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520
github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9
github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762
nvd.nist.gov/vuln/detail/CVE-2023-32675
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
29.0%