4 matches found
vyper performs double eval of the slice start/length args in certain cases
Summary Using the slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or .code and either the start or length arguments have side-effects. A contract search was performed and no vulnerable contracts were found in production. Having...
vyper performs multiple eval of `sqrt()` argument built in
Summary Using the sqrt builtin can result in multiple eval evaluation of side effects when the argument has side-effects. The bug is more difficult but not impossible! to trigger as of 0.3.4, when the unique symbol fence was introduced https://github.com/vyperlang/vyper/pull/2914. A contract sear...
CVE-2024-32646
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or .code and either the start or length arguments have side-effects...
CVE-2024-32646
Vyper CVE-2024-32646 affects the Pythonic smart contract language. The vulnerability concerns the builtin slice when the buffer is msg.data, self.code, or .code and either the start or length has side-effects, causing a double evaluation of those side-effects. It is triggerable only in versions e...