7 matches found
vyper performs incorrect topic logging in raw_log
Summary Incorrect values can be logged when rawlog builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. In particular, no uses of rawlog were found at all in production; it is apparently not ...
GHSA-M2V9-W374-5HJ9 vyper default functions don't respect nonreentrancy keys
Summary Prior to v0.3.0, default functions did not respect the @nonreentrancy decorator and the lock was not emitted. This is a known bug and was already visible in the issue tracker https://github.com/vyperlang/vyper/issues/2455, but it is being re-issued as an advisory so that tools relying on...
GHSA-2Q8V-3GQQ-4F8P concat built-in can corrupt memory in vyper
Summary concat built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the buildIR for concat doesn't properly adhere to the API of copy functions for =0.3.2 the copybytes function. A contract search was...
CVE-2024-22419
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The concat built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the buildIR for concat doesn't properly adhere to the API of co...
Contracts are vulnerable to fee-on-transfer accounting-related issues
Lines of code 359, 448, 509, 530, 42, 797, 162 Vulnerability details Impact The functions below transfer funds from the caller to the receiver via transferFrom, but do not ensure that the actual number of tokens received is the same as the input amount to the transfer. If the token is a...
@avalabs/avalanche-wallet-sdk (>=0.3.0 <=0.9.4), @b0dhidharma/contract-utils (=0.1.1) +48 more potentially affected by CVE-2021-39167 via @openzeppelin/contracts (>=4.0.0 <=4.3.0)
@openzeppelin/contracts NPM version =4.0.0, =0.3.0, =0.0.2, =1.0.0, =1.1.0, =2.0.0, =0.1.1, =0.0.1, =3.0.0-alpha.2, =3.0.0-alpha.1, =3.0.0-alpha.1, =3.0.0-alpha.1, =0.0.0-863d96e4, =0.0.23-canary and more Source cves: CVE-2021-39167 Source advisory: OSV:GHSA-FG47-3C2X-M2WR...
New proxyOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018-10376)
On 4/24/2018, 01:17:50 p.m. UTC, PeckShield again detected an unusual MESH token transaction shown in Figure 1. In this particular transaction, someone transferred a large amount of MESH token — 0x8fff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff 63 f’s to herself...