Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12eG1tLWN3aDItcTc2Ms4AAzbG

Vyper's nonpayable default functions are sometimes payable

Impact

in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable. this applies to contracts compiled with vyper<=0.3.7.

# @version 0.3.7

# implicitly nonpayable
@external
def foo() -> uint256:
    return 1

# implicitly nonpayable
@external
def __default__():
    # could receive ether here
    pass

Patches

this was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.

Workarounds

don't use nonpayable default functions

Permalink: https://github.com/advisories/GHSA-vxmm-cwh2-q762
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12eG1tLWN3aDItcTc2Ms4AAzbG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 2 months ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Percentage: 0.00075
EPSS Percentile: 0.34523

Identifiers: GHSA-vxmm-cwh2-q762, CVE-2023-32675
References:

• https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762
• https://nvd.nist.gov/vuln/detail/CVE-2023-32675
• https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520
• https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9
• https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml
• https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.
• https://github.com/advisories/GHSA-vxmm-cwh2-q762

Repository: https://github.com/vyperlang/vyper
Blast Radius: 8.8

Affected Packages