Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zd2hxLTY0cTItcWZqNs4AA7UH
vyper performs double eval of raw_args in create_from_blueprint
Summary
Using the create_from_blueprint builtin can result in a double eval vulnerability when raw_args=True and the args argument has side-effects.
A contract search was performed and no vulnerable contracts were found in production. In particular, the raw_args variant of create_from_blueprint was not found to be used in production.
Details
It can be seen that the _build_create_IR function of the create_from_blueprint builtin doesn't cache the mentioned args argument to the stack: https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847
As such, it can be evaluated multiple times (instead of retrieving the value from the stack).
PoC
The vulnerability is demonstrated in the following boa test:
src1 = """
c: uint256
"""
deployer = """
created_address: public(address)
deployed: public(uint256)
@external
def get() -> Bytes[32]:
self.deployed += 1
return b''
@external
def create_(target: address):
self.created_address = create_from_blueprint(target, raw_call(self, method_id("get()"), max_outsize=32), raw_args=True, code_offset=3)
"""
Factory = b.loads_partial(src1)
c = Factory.deploy_as_blueprint()
c2 = b.loads(deployer, b'')
c2.create_(c)
c2.deployed()
The output of c2.deployed() is 2 although create_ was called only once and the value was initialized to 0.
Impact
No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zd2hxLTY0cTItcWZqNs4AA7UH
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 days ago
Updated: 11 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-3whq-64q2-qfj6, CVE-2024-32647
References:
- https://github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6
- https://nvd.nist.gov/vuln/detail/CVE-2024-32647
- https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847
- https://github.com/advisories/GHSA-3whq-64q2-qfj6
Blast Radius: 12.6
Affected Packages
pypi:vyper
Dependent packages: 3Dependent repositories: 236
Downloads: 48,848 last month
Affected Version Ranges: <= 0.3.10
No known fixed version
All affected versions: 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10