Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12eG1tLWN3aDItcTc2Ms4AAzbG

Vyper's nonpayable default functions are sometimes payable

Impact

in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable. this applies to contracts compiled with vyper<=0.3.7.

# @version 0.3.7

# implicitly nonpayable
@external
def foo() -> uint256:
    return 1

# implicitly nonpayable
@external
def __default__():
    # could receive ether here
    pass

Patches

this was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.

Workarounds

don't use nonpayable default functions

Permalink: https://github.com/advisories/GHSA-vxmm-cwh2-q762
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12eG1tLWN3aDItcTc2Ms4AAzbG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 11 months ago
Updated: 6 months ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-vxmm-cwh2-q762, CVE-2023-32675
References:

Repository: https://github.com/vyperlang/vyper
Blast Radius: 8.8

Affected Packages

pypi:vyper

Dependent packages: 3
Dependent repositories: 236
Downloads: 40,650 last month
Affected Version Ranges: < 0.3.8
Fixed in: 0.3.8
All affected versions: 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7
All unaffected versions: 0.3.8, 0.3.9, 0.3.10